How is CVE-2026-46527 exploited?

Network reachability (required): The attacker must reach the HTTP server over the network and deliver a crafted X-Forwarded-For header. Authentication (not-required): No credentials or session are needed; any client that can send an HTTP request can trigger the bug. Victim interaction (not-required): Exploitation is server-side and requires no action from a user or administrator. Attack complexity (info): AC:L: the request is a single HTTP message with a malformed header and is reliable against any server that has called set_trusted_proxies() with a non-empty list.

What is the impact of CVE-2026-46527?

Crashes the cpp-httplib server process, dropping in-flight connections and denying service to legitimate clients. Repeated requests keep the service unavailable for as long as the attacker continues sending them, with no rate-limiting barrier on the vulnerable code path. No confidentiality or integrity impact: stored data and responses to other clients are not read or modified through this bug.

Back to search

HIGHCVE-2026-46527Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-46527: cpp-httplib: Malicious `X-Forwarded-For` Under Trusted-Proxy Configuration Triggers Empty `vector::front()`, Leading to Undefined Behavior and Server Crash

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid IP segments. The code path then executes get_client_ip(), which calls front() on an empty std::vector—undefined behavior in C++. On typical implementations this manifests as abnormal process termination (denial of service). With Sanitizers enabled, you get an explicit runtime diagnostic. This vulnerability is fixed in 0.44.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an undefined-behavior crash in cpp-httplib, a header-only C++ HTTP/HTTPS library. A remote, unauthenticated attacker can reach the bug over the network whenever the server has enabled Server::set_trusted_proxies() with a non-empty list, by sending a request with an X-Forwarded-For header that contains no valid IP segments. The code then calls front() on an empty std::vector inside get_client_ip(), which on typical builds terminates the worker process and denies service. A patched-image rebuild at cpp-httplib 0.44.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-46527 is ingested from upstream advisory feeds within minutes of publication and matched against cpp-httplib versions found in customer registries and CI pipelines, including statically linked copies inside custom-built images where the header is vendored.

Available

Triage

Triage is available with the published CVSS v4.0 score of 8.7 (high) applied as the baseline, then reweighted by each customer's compliance policy (for example, internet-exposed services using trusted-proxy configuration are escalated). Findings route to the inbox configured for the owning team inside each customer org.

Available

Patch

A patched-image rebuild at cpp-httplib 0.44.0 becomes available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild is produced, the regression test suite is run against it, and a pull request is opened against the affected workloads' image manifests.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the HTTP server over the network and deliver a crafted X-Forwarded-For header.
AuthenticationNot required
No credentials or session are needed; any client that can send an HTTP request can trigger the bug.
Victim interactionNot required
Exploitation is server-side and requires no action from a user or administrator.
Attack complexityDetail
AC:L: the request is a single HTTP message with a malformed header and is reliable against any server that has called set_trusted_proxies() with a non-empty list.

Blast Radius

Crashes the cpp-httplib server process, dropping in-flight connections and denying service to legitimate clients.
Repeated requests keep the service unavailable for as long as the attacker continues sending them, with no rate-limiting barrier on the vulnerable code path.
No confidentiality or integrity impact: stored data and responses to other clients are not read or modified through this bug.

How HarborGuard Handles This

Available on HarborGuard: cpp-httplib 0.44.0 rebuilds are published for affected base and application images, and for environments with auto-remediation enabled the rebuild is produced, regression-tested, and proposed as a PR against the affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. For environments that cannot upgrade immediately, a compensating control is to call Server::set_trusted_proxies() with an empty list (or skip the call entirely) until the upgrade lands, which removes the vulnerable code path; placing the service behind a reverse proxy that strips or normalizes inbound X-Forwarded-For headers also blocks the malformed input from reaching the library.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

yhirose / cpp-httplib
< 0.44.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-hg3g-vrg8-578g