CVE-2026-5078
ADVISORY - githubSummary
Impact
Morgan's :remote-user token extracts the Basic auth username from the Authorization header and writes it to the log stream without neutralizing control characters. An attacker can send a crafted Authorization: Basic header containing CR/LF characters to inject forged log lines, corrupting the one-request-per-line structure of access logs.
The built-in combined, common, default, and short formats are affected, as well as any custom format that includes :remote-user.
Patches
Users should upgrade to version 1.11.0.
Workarounds
Use a custom format string that does not include :remote-user.
EPSS Score: 0.00246 (0.157)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Improper Output Neutralization for Logs
ADVISORY - github
Improper Output Neutralization for Logs
NIST
CREATED
UPDATED
ADVISORY IDCVE-2026-5078
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
5.3mediumGitHub
CREATED
UPDATED
ADVISORY IDGHSA-4vj7-5mj6-jm8m
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
5.3mediumUbuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-5078
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-