Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-15076

Gravedad CVSS v4.0:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
14/07/2026
Última modificación:
14/07/2026

Descripción

*** Pendiente de traducción *** In versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch), the WebClientSession component of Eclipse Vert.x Web Client does not validate that the Domain attribute of a Set-Cookie response header matches the originating server&amp;#39;s domain, in violation of RFC 6265 section 5.3.<br /> An attacker who controls any server that the victim application contacts can inject a cookie scoped to an arbitrary third-party domain; because the session store performs no cross-domain ownership check, it stores and later transmits that cookie to the targeted domain.<br /> <br /> <br /> <br /> <br /> When the victim application subsequently sends a request to the targeted domain using the same WebClientSession, it presents the attacker-injected cookie, causing the receiving service to process the request under the attacker&amp;#39;s account. Sensitive data included in the victim application&amp;#39;s requests, such as payment amounts, card details, or other API payloads, may then be accessible to the attacker through their own account on that service.

Referencias a soluciones, herramientas e información