CVE-2026-25679 - url.Parse insufficiently validated the host/authority component and accepted some invalid URLs
CVE-2026-25679 + url.Parse insufficiently validated the host/authority component and accepted some invalid URLs + High + 2026-03-06
One-sentence business risk
Broken authentication or authorization can expose tenant data and administrator actions, which buyers treat as a release blocker.
Research notes
- Root cause: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- Affected versions: Affected versions named by the upstream advisory and dependency metadata.
- Fixed / safe versions: Vendor-fixed release or mitigation named by the upstream advisory.
- Public exploit / PoC signal: the consulted NVD/GHSA/vendor sources describe the trigger class; treat it as reproducible until patched.
- CVSS: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Exact vulnerable code pattern
update_or_read(request.body.target_id) # no owner/role check
Fixed / mitigated code pattern
target = load_owned_resource(actor, target_id); require_role(actor, target, "admin")
Dependency or runtime update:
rg -n "affected component|CVE-2026-25679" .
# update affected runtime/product to Vendor-fixed release or mitigation named by the upstream advisory
Step-by-step integration guide
- Inventory
affected componentacross source, lockfiles, SBOMs, container images, CI images, and deployment manifests. - Upgrade to
Vendor-fixed release or mitigation named by the upstream advisoryor apply the exact vendor patch referenced below. - Replace the vulnerable
authzpattern with the fixed pattern and fail closed on malformed input. - Add a regression test that exercises the advisory trigger and proves the request is rejected, bounded, or authorized.
- Deploy through canary, monitor security logs and resource metrics, then remove temporary edge blocks only after all runtimes are fixed.
Alternative mitigations
- Disable the vulnerable feature path while the package/runtime update rolls out.
- Add WAF or reverse-proxy rules for traversal tokens, prototype-polluting keys, oversized frames, shell metacharacters, or unauthenticated tool calls matching the trigger class.
- Restrict internal egress, rotate exposed secrets, and revoke affected tokens/keys if the vulnerability can disclose config, logs, JWT secrets, proxy credentials, or PKI material.
- For admin/API authorization issues, temporarily require elevated roles and explicit ownership checks at the gateway.
Detection signature
id: cve-2026-25679-url-parse-insufficiently-validated-the-host-auth
source: NVD bulk JSON feed
dependency_or_product: "affected component"
affected: "Affected versions named by the upstream advisory and dependency metadata"
fixed: "Vendor-fixed release or mitigation named by the upstream advisory"
signals:
- "authz"
- "../"
- "__proto__"
- "tools/call"
- "wp_ajax_nopriv"
- "pickle.loads"
- "shell command construction"
action: "upgrade, add regression test, and verify deploy artifact"
Copy-paste skill
You are remediating CVE-2026-25679 (url.Parse insufficiently validated the host/authority component and accepted some invalid URLs) in this repository.
Find every affected dependency, runtime, image, service configuration, and reachable code path. Upgrade or patch to Vendor-fixed release or mitigation named by the upstream advisory. Replace the vulnerable authz pattern with a fail-closed implementation, add a regression test for the trigger shape, and update deployment/SBOM artifacts. If this repository does not control the affected runtime, create TRIAGE.md naming the owner, affected version, fixed version, and blocking decision.
Keywords, affected tech stack, and revenue tags
- Keywords:
CVE-2026-25679,authz,affected component,NVD bulk JSON feed. - Affected tech stack:
general. - Revenue tags:
sellable_to_fintech,enterprise_blocker,high_priority_sla.
References
- https://access.redhat.com/errata/RHSA-2026:10065
- https://access.redhat.com/errata/RHSA-2026:10125
- https://access.redhat.com/errata/RHSA-2026:10133
- https://access.redhat.com/errata/RHSA-2026:10140
- https://access.redhat.com/errata/RHSA-2026:10141
- https://access.redhat.com/errata/RHSA-2026:10158
- https://access.redhat.com/errata/RHSA-2026:10169
- https://access.redhat.com/errata/RHSA-2026:10175
- https://access.redhat.com/errata/RHSA-2026:10184
- https://access.redhat.com/errata/RHSA-2026:10225
- https://access.redhat.com/errata/RHSA-2026:10250
- https://access.redhat.com/errata/RHSA-2026:10701
- https://access.redhat.com/errata/RHSA-2026:10712
- https://access.redhat.com/errata/RHSA-2026:10929
- https://access.redhat.com/errata/RHSA-2026:11217
- https://access.redhat.com/errata/RHSA-2026:11375
- https://access.redhat.com/errata/RHSA-2026:11412
- https://access.redhat.com/errata/RHSA-2026:11413
- https://access.redhat.com/errata/RHSA-2026:11686
- https://access.redhat.com/errata/RHSA-2026:11688
- https://access.redhat.com/errata/RHSA-2026:11747
- https://access.redhat.com/errata/RHSA-2026:11749
- https://access.redhat.com/errata/RHSA-2026:11768
- https://access.redhat.com/errata/RHSA-2026:11800
- https://access.redhat.com/errata/RHSA-2026:11856
- https://access.redhat.com/errata/RHSA-2026:11916
- https://access.redhat.com/errata/RHSA-2026:11996
- https://access.redhat.com/errata/RHSA-2026:12028
- https://access.redhat.com/errata/RHSA-2026:12029
- https://access.redhat.com/errata/RHSA-2026:12030
- https://access.redhat.com/errata/RHSA-2026:12031
- https://access.redhat.com/errata/RHSA-2026:12032
- https://access.redhat.com/errata/RHSA-2026:12033
- https://access.redhat.com/errata/RHSA-2026:12282
- https://access.redhat.com/errata/RHSA-2026:13508
- https://access.redhat.com/errata/RHSA-2026:13512
- https://access.redhat.com/errata/RHSA-2026:13545
- https://access.redhat.com/errata/RHSA-2026:13642
- https://access.redhat.com/errata/RHSA-2026:13643
- https://access.redhat.com/errata/RHSA-2026:13671
- https://access.redhat.com/errata/RHSA-2026:13791
- https://access.redhat.com/errata/RHSA-2026:13829
- https://access.redhat.com/errata/RHSA-2026:14020
- https://access.redhat.com/errata/RHSA-2026:14100
- https://access.redhat.com/errata/RHSA-2026:14774
- https://access.redhat.com/errata/RHSA-2026:14868
- https://access.redhat.com/errata/RHSA-2026:14879
- https://access.redhat.com/errata/RHSA-2026:15091
- https://access.redhat.com/errata/RHSA-2026:16102
- https://access.redhat.com/errata/RHSA-2026:16696
- https://access.redhat.com/errata/RHSA-2026:16874
- https://access.redhat.com/errata/RHSA-2026:16875
- https://access.redhat.com/errata/RHSA-2026:17040
- https://access.redhat.com/errata/RHSA-2026:17084
- https://access.redhat.com/errata/RHSA-2026:17287
- https://access.redhat.com/errata/RHSA-2026:17598
- https://access.redhat.com/errata/RHSA-2026:19017
- https://access.redhat.com/errata/RHSA-2026:19022
- https://access.redhat.com/errata/RHSA-2026:19026
- https://access.redhat.com/errata/RHSA-2026:19027
- https://access.redhat.com/errata/RHSA-2026:19031
- https://access.redhat.com/errata/RHSA-2026:19032
- https://access.redhat.com/errata/RHSA-2026:19049
- https://access.redhat.com/errata/RHSA-2026:19055
- https://access.redhat.com/errata/RHSA-2026:19126
- https://access.redhat.com/errata/RHSA-2026:19128
- https://access.redhat.com/errata/RHSA-2026:19132
- https://access.redhat.com/errata/RHSA-2026:19133
- https://access.redhat.com/errata/RHSA-2026:19135
- https://access.redhat.com/errata/RHSA-2026:19181
- https://access.redhat.com/errata/RHSA-2026:19184
- https://access.redhat.com/errata/RHSA-2026:19185
- https://access.redhat.com/errata/RHSA-2026:19207
- https://access.redhat.com/errata/RHSA-2026:19350
- https://access.redhat.com/errata/RHSA-2026:19353
- https://access.redhat.com/errata/RHSA-2026:19375
- https://access.redhat.com/errata/RHSA-2026:19475
- https://access.redhat.com/errata/RHSA-2026:19634
- https://access.redhat.com/errata/RHSA-2026:19719
- https://access.redhat.com/errata/RHSA-2026:19720
- https://access.redhat.com/errata/RHSA-2026:19721
- https://access.redhat.com/errata/RHSA-2026:19750
- https://access.redhat.com/errata/RHSA-2026:20041
- https://access.redhat.com/errata/RHSA-2026:20088
- https://access.redhat.com/errata/RHSA-2026:20581
- https://access.redhat.com/errata/RHSA-2026:20582
- https://access.redhat.com/errata/RHSA-2026:20584
- https://access.redhat.com/errata/RHSA-2026:20889
- https://access.redhat.com/errata/RHSA-2026:21017
- https://access.redhat.com/errata/RHSA-2026:21655
- https://access.redhat.com/errata/RHSA-2026:21657
- https://access.redhat.com/errata/RHSA-2026:21691
- https://access.redhat.com/errata/RHSA-2026:21696
- https://access.redhat.com/errata/RHSA-2026:21769
- https://access.redhat.com/errata/RHSA-2026:22347
- https://access.redhat.com/errata/RHSA-2026:22423
- https://access.redhat.com/errata/RHSA-2026:22450
- https://access.redhat.com/errata/RHSA-2026:22627
- https://access.redhat.com/errata/RHSA-2026:22714
- https://access.redhat.com/errata/RHSA-2026:22733
- https://access.redhat.com/errata/RHSA-2026:22862
- https://access.redhat.com/errata/RHSA-2026:22937
- https://access.redhat.com/errata/RHSA-2026:23228
- https://access.redhat.com/errata/RHSA-2026:23345
- https://access.redhat.com/errata/RHSA-2026:24386
- https://access.redhat.com/errata/RHSA-2026:24853
- https://access.redhat.com/errata/RHSA-2026:25043
- https://access.redhat.com/errata/RHSA-2026:25127
- https://access.redhat.com/errata/RHSA-2026:25180
- https://access.redhat.com/errata/RHSA-2026:25248
- https://access.redhat.com/errata/RHSA-2026:25250
- https://access.redhat.com/errata/RHSA-2026:25251
- https://access.redhat.com/errata/RHSA-2026:25252
- https://access.redhat.com/errata/RHSA-2026:25253
- https://access.redhat.com/errata/RHSA-2026:26445
- https://access.redhat.com/errata/RHSA-2026:26527
- https://access.redhat.com/errata/RHSA-2026:26541
- https://access.redhat.com/errata/RHSA-2026:26568
- https://access.redhat.com/errata/RHSA-2026:26585
- https://access.redhat.com/errata/RHSA-2026:26636
- https://access.redhat.com/errata/RHSA-2026:27076
- https://access.redhat.com/errata/RHSA-2026:28047
- https://access.redhat.com/errata/RHSA-2026:28441
- https://access.redhat.com/errata/RHSA-2026:29035
- https://access.redhat.com/errata/RHSA-2026:29195
- https://access.redhat.com/errata/RHSA-2026:29455
- https://access.redhat.com/errata/RHSA-2026:29702
- https://access.redhat.com/errata/RHSA-2026:29703
- https://access.redhat.com/errata/RHSA-2026:29854
- https://access.redhat.com/errata/RHSA-2026:33722
- https://access.redhat.com/errata/RHSA-2026:5110
- https://access.redhat.com/errata/RHSA-2026:5549
- https://access.redhat.com/errata/RHSA-2026:5941
- https://access.redhat.com/errata/RHSA-2026:5942
- https://access.redhat.com/errata/RHSA-2026:5943
- https://access.redhat.com/errata/RHSA-2026:5944
- https://access.redhat.com/errata/RHSA-2026:6341
- https://access.redhat.com/errata/RHSA-2026:6344
- https://access.redhat.com/errata/RHSA-2026:6382
- https://access.redhat.com/errata/RHSA-2026:6383
- https://access.redhat.com/errata/RHSA-2026:6388
- https://access.redhat.com/errata/RHSA-2026:6564
- https://access.redhat.com/errata/RHSA-2026:6720
- https://access.redhat.com/errata/RHSA-2026:6802
- https://access.redhat.com/errata/RHSA-2026:6949
- https://access.redhat.com/errata/RHSA-2026:7005
- https://access.redhat.com/errata/RHSA-2026:7009
- https://access.redhat.com/errata/RHSA-2026:7011
- https://access.redhat.com/errata/RHSA-2026:7259
- https://access.redhat.com/errata/RHSA-2026:7291
- https://access.redhat.com/errata/RHSA-2026:7315
- https://access.redhat.com/errata/RHSA-2026:7328
- https://access.redhat.com/errata/RHSA-2026:7385
- https://access.redhat.com/errata/RHSA-2026:7665
- https://access.redhat.com/errata/RHSA-2026:7669
- https://access.redhat.com/errata/RHSA-2026:7674
- https://access.redhat.com/errata/RHSA-2026:7833
- https://access.redhat.com/errata/RHSA-2026:7834
- https://access.redhat.com/errata/RHSA-2026:7876
- https://access.redhat.com/errata/RHSA-2026:7877
- https://access.redhat.com/errata/RHSA-2026:7878
- https://access.redhat.com/errata/RHSA-2026:7879
- https://access.redhat.com/errata/RHSA-2026:7883
- https://access.redhat.com/errata/RHSA-2026:7992
- https://access.redhat.com/errata/RHSA-2026:8151
- https://access.redhat.com/errata/RHSA-2026:8167
- https://access.redhat.com/errata/RHSA-2026:8314
- https://access.redhat.com/errata/RHSA-2026:8322
- https://access.redhat.com/errata/RHSA-2026:8324
- https://access.redhat.com/errata/RHSA-2026:8337
- https://access.redhat.com/errata/RHSA-2026:8338
- https://access.redhat.com/errata/RHSA-2026:8433
- https://access.redhat.com/errata/RHSA-2026:8434
- https://access.redhat.com/errata/RHSA-2026:8456
- https://access.redhat.com/errata/RHSA-2026:8483
- https://access.redhat.com/errata/RHSA-2026:8484
- https://access.redhat.com/errata/RHSA-2026:8490
- https://access.redhat.com/errata/RHSA-2026:8491
- https://access.redhat.com/errata/RHSA-2026:8493
- https://access.redhat.com/errata/RHSA-2026:8840
- https://access.redhat.com/errata/RHSA-2026:8841
- https://access.redhat.com/errata/RHSA-2026:8842
- https://access.redhat.com/errata/RHSA-2026:8845
- https://access.redhat.com/errata/RHSA-2026:8847
- https://access.redhat.com/errata/RHSA-2026:8848
- https://access.redhat.com/errata/RHSA-2026:8849
- https://access.redhat.com/errata/RHSA-2026:8851
- https://access.redhat.com/errata/RHSA-2026:8852
- https://access.redhat.com/errata/RHSA-2026:8853
- https://access.redhat.com/errata/RHSA-2026:8855
- https://access.redhat.com/errata/RHSA-2026:8856
- https://access.redhat.com/errata/RHSA-2026:8860
- https://access.redhat.com/errata/RHSA-2026:8877
- https://access.redhat.com/errata/RHSA-2026:8878
- https://access.redhat.com/errata/RHSA-2026:8879
- https://access.redhat.com/errata/RHSA-2026:8881
- https://access.redhat.com/errata/RHSA-2026:8882
- https://access.redhat.com/errata/RHSA-2026:8930
- https://access.redhat.com/errata/RHSA-2026:8931
- https://access.redhat.com/errata/RHSA-2026:8949
- https://access.redhat.com/errata/RHSA-2026:9043
- https://access.redhat.com/errata/RHSA-2026:9044
- https://access.redhat.com/errata/RHSA-2026:9052
- https://access.redhat.com/errata/RHSA-2026:9090
- https://access.redhat.com/errata/RHSA-2026:9093
- https://access.redhat.com/errata/RHSA-2026:9094
- https://access.redhat.com/errata/RHSA-2026:9097
- https://access.redhat.com/errata/RHSA-2026:9098
- https://access.redhat.com/errata/RHSA-2026:9108
- https://access.redhat.com/errata/RHSA-2026:9109
- https://access.redhat.com/errata/RHSA-2026:9385
- https://access.redhat.com/errata/RHSA-2026:9434
- https://access.redhat.com/errata/RHSA-2026:9435
- https://access.redhat.com/errata/RHSA-2026:9436
- https://access.redhat.com/errata/RHSA-2026:9439
- https://access.redhat.com/errata/RHSA-2026:9440
- https://access.redhat.com/errata/RHSA-2026:9448
- https://access.redhat.com/errata/RHSA-2026:9453
- https://access.redhat.com/errata/RHSA-2026:9461
- https://access.redhat.com/errata/RHSA-2026:9695
- https://access.redhat.com/errata/RHSA-2026:9742
- https://access.redhat.com/errata/RHSA-2026:9872
- https://access.redhat.com/security/cve/CVE-2026-25679
- https://bugzilla.redhat.com/show_bug.cgi?id=2445356
- https://go.dev/cl/752180
- https://go.dev/issue/77578
- https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
- https://nvd.nist.gov/vuln/detail/CVE-2026-25679
- https://pkg.go.dev/vuln/GO-2026-4601
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-25679.json