CVE-2026-32627
cpp-httplib has a Silent TLS Certificate Verification Bypass on HTTPS Redirect via Proxy
Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target — expired, self-signed, or forged — without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2.
INFO
Published Date :
March 13, 2026, 8:48 p.m.
Last Modified :
March 13, 2026, 8:48 p.m.
Remotely Exploit :
Yes !
Source :
GitHub_M
Affected Products
The following products are affected by CVE-2026-32627
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | MITRE-CVE |
Solution
- Update cpp-httplib to version 0.37.2 or later.
- Ensure TLS certificate verification is enabled for all connections.
- Review proxy configurations for secure settings.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-32627 vulnerability anywhere in the article.