CVE-2026-42855

Exploit

EPSS 0.35%
Veröffentlicht 12.05.2026 21:56:08
Zuletzt bearbeitet 15.05.2026 15:54:16
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

arduino-esp32: Digest authentication URI mismatch bypass in WebServer allows cross-resource replay attack

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp32 computes the authentication hash using the URI field from the client's Authorization header, without verifying that it matches the actual requested URI. This allows an attacker who possesses any valid digest response (computed for URI-A) to authenticate requests to a completely different protected URI (URI-B), bypassing per-resource access control. This vulnerability is fixed in 3.3.8.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Espressif ≫ Arduino-esp32 Update- Version < 3.3.8

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.35%	0.267

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/espressif/arduino-esp32/security/advisories/GHSA-28hv-fwm3-rpcq

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-42855

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42855

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42855

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42855