Header-Injection

Attackers can exploit Heimdall proxy versions <= 0.17.16 operating in proxy mode by injecting malicious values into the `Host` HTTP header, leading to the construction of a manipulated `Forwarded` header that can spoof client IP addresses for upstream services, potentially bypassing IP-based access controls.

CVE-2026-46579 describes a vulnerability in the Red Hat OpenShift Router. When a Route is configured with `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend fails to remove `X-SSL-Client-*` headers from incoming requests, allowing unauthenticated attackers to bypass mutual TLS authentication and impersonate client certificate identities.

A remote, anonymous attacker can exploit a vulnerability in cPanel cPanel/WHM to perform an HTTP response header injection, enabling cross-site scripting (XSS), open redirect attacks, and cache or header manipulation.

SillyTavern versions 1.17.0 and earlier are vulnerable to an authentication bypass (CVE-2026-44649) via HTTP header injection, where the application accepts Remote-User and X-Authentik-Username headers for SSO without proper validation, allowing attackers to impersonate any user, including administrators, if SSO is enabled.

A CRLF header injection vulnerability in Plunk versions prior to 0.8.0 allows authenticated API users to inject arbitrary email headers, enabling silent email forwarding, reply redirection, or sender spoofing.

OpenClaw before 2026.3.7 is vulnerable to improper header validation in fetchWithSsrFGuard, allowing attackers to intercept sensitive authorization headers via cross-origin redirects.

The RedirectHandler middleware in multiple Kiota libraries fails to strip sensitive HTTP headers (Cookie, Proxy-Authorization, and custom headers) when following 3xx redirects to a different host or scheme, potentially leading to session hijacking, corporate proxy credential theft, and API key theft.

A prototype pollution vulnerability in the Axios HTTP adapter allows an attacker to inject arbitrary HTTP headers into outgoing requests by polluting the Object prototype with specific properties, leading to potential authentication bypass and privilege escalation.