How is CVE-2026-55202 exploited?

Network reachability (required): The attacker must reach the Tinyproxy service over the network; no local access or physical proximity is required. Authentication (not-required): No credentials are needed; the bypass is available to any unauthenticated caller who can send an HTTP request to the proxy. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator. Attack complexity (info): Exploitation is straightforward and condition-free; crafting a manipulated Host header requires no race condition, memory-layout knowledge, or environmental prerequisite.

What is the impact of CVE-2026-55202?

Reads internal proxy statistics (connection counts, request logs, and configuration details) from the stathost page without authorization. Misroutes HTTP requests by bypassing stathost detection, causing requests that should be blocked or handled as admin traffic to be forwarded as transparent proxy connections. Allows an attacker to probe internal network topology or backend services by abusing the misrouted request path.

Back to search

HIGHCVE-2026-55202Published 2026-06-17Modified 2026-06-17CNA VulnCheck

CVE-2026-55202: Tinyproxy - Stathost Detection Bypass via Host Header Manipulation

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: 09312a185ae25cc486b4ff5987638a7917a48bce
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in Tinyproxy (versions through 1.11.3) allows unauthenticated remote attackers to access the proxy's internal stats page by manipulating the Host header during stathost detection. The flaw is reachable over the network with no credentials required and no victim interaction needed. Successful exploitation exposes internal proxy statistics and allows request misrouting that circumvents access controls. A patched-image rebuild at the fixed commit (09312a185ae25cc486b4ff5987638a7917a48bce) is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Tinyproxy. Any image containing a Tinyproxy binary at or below version 1.11.3 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH (CVSS v4.0) and applies each customer organization's compliance policy weighting to determine urgency before routing findings to the appropriate team inbox within that org.

Available

Patch

A patched-image rebuild pinned to commit 09312a185ae25cc486b4ff5987638a7917a48bce is available on HarborGuard for any environment running an affected Tinyproxy version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Tinyproxy service over the network; no local access or physical proximity is required.
AuthenticationNot required
No credentials are needed; the bypass is available to any unauthenticated caller who can send an HTTP request to the proxy.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator.
Attack complexityDetail
Exploitation is straightforward and condition-free; crafting a manipulated Host header requires no race condition, memory-layout knowledge, or environmental prerequisite.

Blast Radius

Reads internal proxy statistics (connection counts, request logs, and configuration details) from the stathost page without authorization.
Misroutes HTTP requests by bypassing stathost detection, causing requests that should be blocked or handled as admin traffic to be forwarded as transparent proxy connections.
Allows an attacker to probe internal network topology or backend services by abusing the misrouted request path.

How HarborGuard Handles This

Available on HarborGuard: images containing Tinyproxy at or below version 1.11.3 are matched against this CVE within minutes of advisory publication, including internally built images that vendor the binary. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched commit (09312a185ae25cc486b4ff5987638a7917a48bce), runs a regression test run, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated changes, the finding is routed to the responsible team inbox with remediation guidance. As a compensating control while a rebuild is staged, network policy rules that restrict inbound access to the Tinyproxy port to trusted source ranges will reduce the exposed attack surface.

See how HarborGuard automates this

Fix available

09312a185ae25cc486b4ff5987638a7917a48bce

Patch commits

Patch Commit

Affected packages

tinyproxy / tinyproxy
≤ 1.11.3
Fixed in 09312a185ae25cc486b4ff5987638a7917a48bce

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available