CVE-2026-5078

ADVISORY - github

Summary

Impact

Morgan's :remote-user token extracts the Basic auth username from the Authorization header and writes it to the log stream without neutralizing control characters. An attacker can send a crafted Authorization: Basic header containing CR/LF characters to inject forged log lines, corrupting the one-request-per-line structure of access logs.

The built-in combined, common, default, and short formats are affected, as well as any custom format that includes :remote-user.

Patches

Users should upgrade to version 1.11.0.

Workarounds

Use a custom format string that does not include :remote-user.

EPSS Score: 0.00246 (0.157)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Improper Output Neutralization for Logs

ADVISORY - github

Improper Output Neutralization for Logs


NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-5078
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.3medium

GitHub

CREATED

UPDATED

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.3medium

Ubuntu

CREATED

UPDATED

ADVISORY IDCVE-2026-5078
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium