CVE-2026-15076 in Vert.xinfo

Summary

by MITRE • 07/14/2026

In versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch), the WebClientSession component of Eclipse Vert.x Web Client does not validate that the Domain attribute of a Set-Cookie response header matches the originating server's domain, in violation of RFC 6265 section 5.3. An attacker who controls any server that the victim application contacts can inject a cookie scoped to an arbitrary third-party domain; because the session store performs no cross-domain ownership check, it stores and later transmits that cookie to the targeted domain.




When the victim application subsequently sends a request to the targeted domain using the same WebClientSession, it presents the attacker-injected cookie, causing the receiving service to process the request under the attacker's account. Sensitive data included in the victim application's requests, such as payment amounts, card details, or other API payloads, may then be accessible to the attacker through their own account on that service.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability described represents a critical session management flaw in Eclipse Vert.x Web Client versions 4.5.29 and earlier, and 5.1.4 and earlier within the 5.x branch. This issue stems from inadequate validation of HTTP cookie domain attributes during session handling operations, directly contravening RFC 6265 section 5.3 which establishes fundamental security requirements for cookie domain matching. The WebClientSession component fails to enforce proper cross-domain ownership checks that should prevent cookies from being stored and transmitted across different domain boundaries, creating a significant attack surface for session hijacking and data exfiltration.

This vulnerability operates through a sophisticated attack vector where an attacker controls a server that the victim application communicates with over the network. The malicious server can inject Set-Cookie headers with Domain attributes that do not match the originating server's actual domain, exploiting the lack of validation in Vert.x Web Client's session storage mechanism. When the WebClientSession processes these responses, it indiscriminately stores cookies without verifying whether they belong to the requesting domain, creating a persistent cross-domain cookie injection capability that persists throughout the session lifecycle.

The operational impact of this vulnerability extends beyond simple session theft to enable comprehensive data compromise across multiple domains. When the victim application makes subsequent requests to the targeted domain using the compromised WebClientSession, it automatically includes the attacker-injected cookies in all HTTP requests. This allows attackers to execute unauthorized actions on behalf of legitimate users, potentially accessing sensitive financial information, personal data, or privileged API endpoints that should only be accessible to authorized personnel. The vulnerability essentially enables a form of cross-site request forgery combined with session hijacking, creating a dangerous combination for applications handling sensitive transactions.

The technical nature of this flaw aligns with CWE-613, which addresses insufficient session expiration and improper cookie validation, while also mapping to ATT&CK technique T1589.200 related to credential access through session hijacking. Organizations using Vert.x Web Client in production environments face significant risk exposure, particularly those handling financial transactions, user authentication, or sensitive data processing. The vulnerability demonstrates a fundamental failure in secure cookie management practices that should be enforced at the HTTP client level to prevent unauthorized cross-domain cookie propagation and maintain proper application security boundaries.

Mitigation strategies should include immediate upgrade to patched versions of Vert.x Web Client where available, implementing additional validation layers in application code to verify cookie domain attributes before storage, and establishing network-level controls to monitor for suspicious cookie injection patterns. Security teams should also consider implementing comprehensive monitoring for unauthorized cookie behavior and regular security assessments focusing on session management components within their applications. The vulnerability underscores the critical importance of adhering to RFC standards for HTTP cookie handling and maintaining robust validation mechanisms throughout the entire request-response lifecycle in web applications.

Responsible

Eclipse

Reservation

07/08/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00171

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!