CVE-2026-3099 in libsoup
Summary
by MITRE • 03/12/2026
A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid authentication header and replay it repeatedly. Consequently, the attacker can bypass authentication and gain unauthorized access to protected resources, impersonating the legitimate user.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability identified as CVE-2026-3099 resides within the Libsoup library's server-side digest authentication mechanism, specifically within the SoupAuthDomainDigest class implementation. This flaw represents a critical security weakness that directly impacts the integrity of authentication processes in web applications relying on digest authentication. The vulnerability stems from improper nonce management and failure to enforce the required nonce-count incrementation mechanism that forms the foundation of secure digest authentication protocols.
The technical flaw manifests in the server's inability to properly track issued nonces and enforce the mandatory nonce-count attribute incrementation. In proper digest authentication implementations, each authentication request must include a unique nonce value that is incrementally tracked by the server to prevent replay attacks. The SoupAuthDomainDigest class fails to maintain this crucial state information, allowing attackers to capture a single valid authentication header containing a nonce and nonce-count value, then reuse this information multiple times without detection. This represents a fundamental breakdown in the authentication protocol's security model that violates established cryptographic best practices.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass complete bypass of authentication mechanisms protecting sensitive resources. An attacker exploiting this flaw can repeatedly use captured authentication headers to impersonate legitimate users and gain access to protected content, user accounts, or administrative functions within applications utilizing the vulnerable Libsoup implementation. This vulnerability particularly affects web applications and services that rely on digest authentication for HTTP authentication, potentially compromising user sessions, sensitive data access, and overall system integrity. The consequences can range from unauthorized data access to full system compromise depending on the privileges of the impersonated user.
Mitigation strategies for CVE-2026-3099 require immediate attention from system administrators and developers maintaining applications using Libsoup. The primary solution involves upgrading to a patched version of the Libsoup library that properly implements nonce tracking and nonce-count validation. Organizations should also consider implementing additional security controls such as implementing stronger authentication mechanisms like OAuth2 or JWT tokens, deploying rate limiting on authentication endpoints, and monitoring for unusual authentication patterns. From a cybersecurity perspective, this vulnerability aligns with CWE-310, which addresses cryptographic weaknesses in nonce handling, and maps to ATT&CK technique T1078.004 for valid accounts and T1566 for credential access through authentication bypass methods. The vulnerability demonstrates the critical importance of proper state management in authentication protocols and the severe consequences when cryptographic security mechanisms fail to properly enforce their required validation steps.