{"api_version":"1","generated_at":"2026-06-23T17:09:08+00:00","cve":"CVE-2026-9678","urls":{"html":"https://cve.report/CVE-2026-9678","api":"https://cve.report/api/cve/CVE-2026-9678.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-9678","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-9678"},"summary":{"title":"undici vulnerable to cross-user information disclosure via shared cache whitespace bypass","description":"Impact:\nUndici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream.","state":"PUBLISHED","assigner":"openjs","published_at":"2026-06-17 18:18:06","updated_at":"2026-06-17 20:20:10"},"problem_types":["CWE-524","CWE-524 CWE-524: Use of Cache Containing Sensitive Information"],"metrics":[{"version":"3.1","source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","score":"5.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"5.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"baseScore":5.9,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://cna.openjsf.org/security-advisories.html","name":"https://cna.openjsf.org/security-advisories.html","refsource":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6","name":"https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6","refsource":"ce714d77-add3-4f53-aff5-83d477b104bb","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-9678","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9678","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"undici","product":"undici","version":"affected 7.0.0 7.28.0 semver","platforms":[]},{"source":"CNA","vendor":"undici","product":"undici","version":"unaffected 7.28.0 semver","platforms":[]},{"source":"CNA","vendor":"undici","product":"undici","version":"affected 8.0.0 8.5.0 semver","platforms":[]},{"source":"CNA","vendor":"undici","product":"undici","version":"unaffected 8.5.0 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"mcollina","lang":"en"},{"source":"CNA","value":"UlisesGascon","lang":"en"},{"source":"CNA","value":"AndrewMohawk","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"9678","cve":"CVE-2026-9678","epss":"0.002290000","percentile":"0.134370000","score_date":"2026-06-22","updated_at":"2026-06-23 00:09:28"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-9678","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-17T18:05:24.378630Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-17T18:05:30.162Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","packageURL":"pkg:npm/undici","product":"undici","vendor":"undici","versions":[{"lessThan":"7.28.0","status":"affected","version":"7.0.0","versionType":"semver"},{"status":"unaffected","version":"7.28.0","versionType":"semver"},{"lessThan":"8.5.0","status":"affected","version":"8.0.0","versionType":"semver"},{"status":"unaffected","version":"8.5.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"remediation developer","value":"mcollina"},{"lang":"en","type":"remediation reviewer","value":"UlisesGascon"},{"lang":"en","type":"reporter","value":"AndrewMohawk"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Impact:\nUndici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream."}],"value":"Impact:\nUndici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream."}],"metrics":[{"cvssV3_1":{"baseScore":5.9,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-524","description":"CWE-524: Use of Cache Containing Sensitive Information","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-17T17:04:09.680Z","orgId":"ce714d77-add3-4f53-aff5-83d477b104bb","shortName":"openjs"},"references":[{"url":"https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6"},{"url":"https://cna.openjsf.org/security-advisories.html"}],"title":"undici vulnerable to cross-user information disclosure via shared cache whitespace bypass","x_generator":{"engine":"cve-kit 1.0.0"}}},"cveMetadata":{"assignerOrgId":"ce714d77-add3-4f53-aff5-83d477b104bb","assignerShortName":"openjs","cveId":"CVE-2026-9678","datePublished":"2026-06-17T17:04:09.680Z","dateReserved":"2026-05-27T08:05:04.453Z","dateUpdated":"2026-06-17T18:05:30.162Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-17 18:18:06","lastModifiedDate":"2026-06-17 20:20:10","problem_types":["CWE-524","CWE-524 CWE-524: Use of Cache Containing Sensitive Information"],"metrics":{"cvssMetricV31":[{"source":"ce714d77-add3-4f53-aff5-83d477b104bb","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-17T18:05:24.378630Z","id":"CVE-2026-9678","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"9678","Ordinal":"1","Title":"undici vulnerable to cross-user information disclosure via share","CVE":"CVE-2026-9678","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"9678","Ordinal":"1","NoteData":"Impact:\nUndici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream.","Type":"Description","Title":"undici vulnerable to cross-user information disclosure via share"}]}}}