CVE-2026-38967: CrowCpp Crow through v1
CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Response header injection in CrowCpp Crow (through v1.3.1) allows a remote, unauthenticated attacker to inject arbitrary HTTP response headers by supplying unvalidated values that are reflected back to clients. The vulnerability is reachable over the network with no credentials required and no victim interaction needed. Successful exploitation enables reading sensitive data, tampering with responses, and disrupting service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle CrowCpp Crow. No manual intervention is needed to trigger a scan.
AvailableHarborGuard scores this finding at CVSS 9.8 Critical and is capable of weighting that score against each customer environment's compliance policy, then routing the alert to the appropriate team inbox within the customer org.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a fix. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without additional steps.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Crow HTTP service over the network; no local or physical access is needed.
- AuthenticationNot required
No credentials or session token of any kind are required to send a malicious request.
- Victim interactionNot required
The attacker does not need to trick any user into taking an action; the injection can be triggered by a direct request to the server.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or other environmental factors.
Blast Radius
- An attacker injects arbitrary headers into HTTP responses, enabling cache-poisoning attacks that persist malicious content for other users.
- Injected Set-Cookie or Location headers allow session fixation or open redirects, exposing stored session tokens and user credentials.
- Attacker-controlled response headers can be used to disable security policies (such as Content-Security-Policy or HSTS), opening the door to cross-site scripting and downgrade attacks.
- Malformed header sequences can cause HTTP parsing errors in downstream proxies or clients, crashing or destabilizing dependent services.
How HarborGuard Handles This
Available on HarborGuard: because no fix version exists for CVE-2026-38967, HarborGuard continuously re-checks the upstream CrowCpp advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run plus a PR against affected workloads as soon as the upstream project publishes a fix. In the interim, HarborGuard flags all images containing Crow through v1.3.1 as Critical in each customer's vulnerability dashboard. Recommended compensating controls while awaiting an upstream patch include applying network-policy rules to restrict which services can receive external HTTP traffic from untrusted sources, adding an edge proxy or WAF rule that strips or rejects responses containing bare CR/LF sequences in header values, and auditing application code that passes user-supplied input directly into Crow response header fields.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H