CVE-2026-59180 in Apprise
Summary
by MITRE • 07/10/2026
Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. Prior to 1.11.0, Apprise HTTP-based notification plugins and HTTP attachment and config loaders in apprise/attachment/http.py and apprise/config/http.py follow HTTP redirects by default and resend user-configured auth headers and query parameters on the redirected request, allowing a compromised trusted destination or on-path attacker to receive secrets such as Authorization headers, bearer tokens, custom headers, and service keys. This issue is fixed in version 1.11.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability in Apprise affects versions prior to 1.11.0 where HTTP-based notification plugins and HTTP attachment/config loaders exhibit insecure redirect handling behavior. The flaw exists in the http.py files located in both the attachment and config modules of the application. When these components process HTTP redirects, they automatically follow the redirection chain and forward user-configured authentication headers along with query parameters to the redirected endpoint.
This security weakness stems from a lack of proper validation and sanitization of redirect targets within the HTTP request handling logic. The default behavior of resending authentication credentials and sensitive configuration parameters across redirect boundaries creates an attack surface where malicious actors can intercept and extract confidential information. The vulnerability specifically impacts any authentication headers including Authorization headers, bearer tokens, custom headers, and service keys that users have configured for their notification services.
The operational impact of this vulnerability is significant as it enables both compromised trusted destinations and on-path attackers to gain access to sensitive credentials and authentication tokens. An attacker positioned between the Apprise client and a target notification service can capture these secrets during HTTP redirect operations, potentially compromising multiple notification services that rely on the affected library. This issue directly relates to CWE-201, which addresses information exposure through redirects and forwards, and aligns with ATT&CK technique T1566.001 for credential access via phishing.
The fix implemented in version 1.11.0 addresses this by modifying the HTTP redirect handling behavior to prevent automatic forwarding of authentication headers and sensitive parameters during redirection operations. This change ensures that credentials are not inadvertently transmitted to third-party endpoints during the redirect process, thereby protecting against unauthorized information disclosure. Organizations using Apprise should upgrade to version 1.11.0 or later to mitigate this risk and implement proper access controls for notification service endpoints to further reduce potential attack vectors.