CVE-2026-32881 (GCVE-0-2026-32881)
Vulnerability from cvelistv5 – Published: 2026-03-20 01:18 – Updated: 2026-03-20 20:03
VLAI?
Title
ewe has an Overly Permissive List of Allowed Inputs
Summary
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5.
Severity ?
5.3 (Medium)
CWE
- CWE-183 - Permissive List of Allowed Inputs
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| vshakitskiy | ewe |
Affected:
>= 0.6.0, < 3.0.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32881",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T20:03:32.503096Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:03:41.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ewe",
"vendor": "vshakitskiy",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.6.0, \u003c 3.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-183",
"description": "CWE-183: Permissive List of Allowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T01:18:55.382Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp"
},
{
"name": "https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39"
},
{
"name": "https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba"
},
{
"name": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5"
}
],
"source": {
"advisory": "GHSA-9w88-79f8-m3vp",
"discovery": "UNKNOWN"
},
"title": "ewe has an Overly Permissive List of Allowed Inputs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32881",
"datePublished": "2026-03-20T01:18:55.382Z",
"dateReserved": "2026-03-16T21:03:44.420Z",
"dateUpdated": "2026-03-20T20:03:41.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32881",
"date": "2026-05-04",
"epss": "0.00085",
"percentile": "0.24482"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32881\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T02:16:36.237\",\"lastModified\":\"2026-03-23T17:03:15.093\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5.\"},{\"lang\":\"es\",\"value\":\"ewe es un servidor web Gleam. ewe es un servidor web Gleam. Las versiones 0.6.0 a 3.0.4 son vulnerables a la omisi\u00f3n de autenticaci\u00f3n o a encabezados de confianza de proxy falsificados. El manejo de trailers de codificaci\u00f3n de transferencia por bloques fusiona los campos de trailer declarados en req.headers despu\u00e9s del an\u00e1lisis del cuerpo, pero la lista de denegaci\u00f3n solo bloquea 9 nombres de encabezado. Un cliente malicioso puede explotar esto declarando estos encabezados en el campo Trailer y a\u00f1adi\u00e9ndolos despu\u00e9s del \u00faltimo bloque, lo que hace que request.set_header sobrescriba valores leg\u00edtimos (por ejemplo, los establecidos por un proxy inverso). Esto permite a los atacantes falsificar credenciales de autenticaci\u00f3n, secuestrar sesiones, omitir la limitaci\u00f3n de velocidad basada en IP o falsificar encabezados de confianza de proxy en cualquier middleware posterior que lea los encabezados despu\u00e9s de que se llame a ewe.read_body. Este problema ha sido solucionado en la versi\u00f3n 3.0.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-183\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.0.5\",\"matchCriteriaId\":\"D14F72FF-5C22-4D38-A4A3-43EC2FCF386D\"}]}]}],\"references\":[{\"url\":\"https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Product\"]},{\"url\":\"https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32881\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T20:03:32.503096Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T20:03:37.662Z\"}}], \"cna\": {\"title\": \"ewe has an Overly Permissive List of Allowed Inputs\", \"source\": {\"advisory\": \"GHSA-9w88-79f8-m3vp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"vshakitskiy\", \"product\": \"ewe\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.6.0, \u003c 3.0.5\"}]}], \"references\": [{\"url\": \"https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp\", \"name\": \"https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39\", \"name\": \"https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba\", \"name\": \"https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5\", \"name\": \"https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-183\", \"description\": \"CWE-183: Permissive List of Allowed Inputs\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T01:18:55.382Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32881\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T20:03:41.064Z\", \"dateReserved\": \"2026-03-16T21:03:44.420Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T01:18:55.382Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…