{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34226", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.033Z", "datePublished": "2026-03-27T21:17:24.777Z", "dateUpdated": "2026-03-27T21:17:24.777Z"}, "containers": {"cna": {"title": "Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies", "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "lang": "en", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-359", "lang": "en", "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g"}, {"name": "https://github.com/capricorn86/happy-dom/pull/2117", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/pull/2117"}, {"name": "https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751"}, {"name": "https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts"}, {"name": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9"}], "affected": [{"vendor": "capricorn86", "product": "happy-dom", "versions": [{"version": "< 20.8.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:17:24.777Z"}, "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: \"include\" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue."}], "source": {"advisory": "GHSA-w4gp-fjgq-3q4g", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: \"include\" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue."}], "id": "CVE-2026-34226", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T22:16:23.113", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts"}, {"source": "security-advisories@github.com", "url": "https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751"}, {"source": "security-advisories@github.com", "url": "https://github.com/capricorn86/happy-dom/pull/2117"}, {"source": "security-advisories@github.com", "url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9"}, {"source": "security-advisories@github.com", "url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}, {"lang": "en", "value": "CWE-359"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "happy-dom: Happy DOM: Information disclosure via incorrect cookie handling in fetch requests", "id": "2452519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452519"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-201", "details": ["Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: \"include\" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.", "A flaw was found in Happy DOM, a JavaScript implementation of a web browser without its graphical user interface. This vulnerability allows for information disclosure where cookies from the current page's origin can be inadvertently attached to network requests made to a different destination. This occurs when the `fetch` function is used with the `credentials: \"include\"` option, potentially leading to the leakage of sensitive user data to unintended recipients."], "name": "CVE-2026-34226", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-ui-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-27T21:17:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34226\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34226\nhttps://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts\nhttps://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751\nhttps://github.com/capricorn86/happy-dom/pull/2117\nhttps://github.com/capricorn86/happy-dom/releases/tag/v20.8.9\nhttps://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,20.8.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "happy-dom", "source": "cna", "vendor": "capricorn86"}, "product": "happy-dom", "vendor": "capricorn86"}], "analysis": {"en": {"generated_at": "2026-03-28T05:55:48.812633+00:00", "value": {"mitigation_remediation": ["Upgrade Happy DOM to version 20.8.9 or later to apply the fixed cookie handling behavior.", "If an upgrade is deferred, ensure that fetch requests using credentials: 'include' are only performed for same\u2011origin URLs, or switch credentials to 'omit' when making cross\u2011origin requests.", "Review any code that programmatically sets fetch headers to verify that no cross\u2011origin credentialed requests inadvertently leak cookies."], "summary": {"action": "Patch Now", "impact": "Information Leakage via Cookie Falsely Attached on Cross\u2011Origin Fetch"}, "threat_synthesis": {"affected_systems": "Affected systems are projects that depend on the Happy DOM library prior to release 20.8.9. Vendor Capricorn86 maintains the project; any project using Happy DOM versions older than v20.8.9 is vulnerable. The fix is included in v20.8.9, which now correctly scopes cookies to the request target origin.", "description_and_impact": "The vulnerability occurs when the Happy DOM library, used to emulate a web browser in JavaScript, incorrectly attaches cookies from the current page origin (window.location) to network requests made with fetch(..., { credentials: 'include' }). This means that when a cross\u2011origin request is performed, cookies intended for origin A can be sent to origin B, potentially exposing session tokens or other sensitive credentials to an unintended third party. The weakness arises from a failure to enforce the correct cookie target origin, effectively leaking information through the request headers.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, and while no EPSS value is reported, the vulnerability is not in the CISA KEV catalog, suggesting no widespread exploitation has been documented yet. The likely attack path involves any application that invokes fetch with credentials: 'include' across origins under an attacker\u2011controlled or compromised target. An attacker capable of observing the outgoing traffic could capture the leaked cookies, leading to potential session hijacking or unauthorized access. Mitigation hinges on patching or avoiding cross\u2011origin credentialed requests."}}}}, "created": "2026-03-29T20:29:45.281296+00:00", "updated": "2026-03-30T07:00:10.460733+00:00", "vendors": ["capricorn86", "capricorn86$PRODUCT$happy-dom"]}