{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-27959","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-02-25T03:24:57.792Z","datePublished":"2026-02-26T01:45:45.668Z","dateUpdated":"2026-07-15T01:12:18.807Z"},"containers":{"cna":{"title":"Koa has Host Header Injection via `ctx.hostname`","problemTypes":[{"descriptions":[{"cweId":"CWE-20","lang":"en","description":"CWE-20: Improper Input Validation","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm","tags":["x_refsource_CONFIRM"],"url":"https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"},{"name":"https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df","tags":["x_refsource_MISC"],"url":"https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df"},{"name":"https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb","tags":["x_refsource_MISC"],"url":"https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb"}],"affected":[{"vendor":"koajs","product":"koa","versions":[{"version":">= 3.0.0, < 3.1.2","status":"affected"},{"version":"< 2.16.4","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-02-26T01:45:45.668Z"},"descriptions":[{"lang":"en","value":"Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue."}],"source":{"advisory":"GHSA-7gcc-r8m5-44qm","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-26T19:31:17.215940Z","id":"CVE-2026-27959","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T19:32:00.105Z"}},{"affected":[{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:openshift_ai:2.25::el9"],"defaultStatus":"affected","packageName":"rhoai/odh-dashboard-rhel9","product":"Red Hat OpenShift AI 2.25","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1776742021","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:openshift_ai:2.25::el9"],"defaultStatus":"affected","packageName":"rhoai/odh-mod-arch-model-registry-rhel9","product":"Red Hat OpenShift AI 2.25","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1776742141","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:openshift:4.19::el9"],"defaultStatus":"affected","packageName":"openshift4/ose-monitoring-plugin-rhel9","product":"Red Hat OpenShift Container Platform 4.19","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1775577192","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:rhdh:1"],"defaultStatus":"affected","packageName":"rhdh/rhdh-hub-rhel9","product":"Red Hat Developer Hub","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"unknown","packageName":"rhoai/odh-mod-arch-gen-ai-rhel9","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift_devspaces:3"],"defaultStatus":"unaffected","packageName":"devspaces/code-rhel9","product":"Red Hat OpenShift Dev Spaces","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:ansible_portal:2"],"defaultStatus":"affected","packageName":"ansible-automation-platform/automation-portal","product":"Self-service automation portal 2","vendor":"Red Hat"}],"datePublic":"2026-02-26T01:45:45.668Z","descriptions":[{"lang":"en","value":"A flaw was found in Koa’s ctx.hostname API used in Node.js applications. The function incorrectly parses specially crafted HTTP Host headers containing an @ character, which can cause the extracted hostname value to differ from the intended origin. An attacker can exploit this behavior by sending a malicious Host header to influence the hostname value returned by ctx.hostname. Applications that rely on this value for generating absolute URLs, password reset links, or email verification links without additional validation may be susceptible to Host header injection attacks."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"Improper Input Validation","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-27959"},{"name":"RHBZ#2442928","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442928"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27959.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7249"}],"solutions":[{"lang":"en","value":"RHSA-2026:10184: Red Hat OpenShift AI 2.25"},{"lang":"en","value":"RHSA-2026:7249: Red Hat OpenShift Container Platform 4.19"}],"timeline":[{"lang":"en","time":"2026-02-26T03:01:14.695Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-26T01:45:45.668Z","value":"Made public."}],"title":"koa: Koa: Host header injection vulnerability due to malformed HTTP Host header parsing","workarounds":[{"lang":"en","value":"Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the relevant security updates once they become available."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-15T01:12:18.807Z"}}]}}