{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32881", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.420Z", "datePublished": "2026-03-20T01:18:55.382Z", "dateUpdated": "2026-03-20T20:03:41.064Z"}, "containers": {"cna": {"title": "ewe has an Overly Permissive List of Allowed Inputs", "problemTypes": [{"descriptions": [{"cweId": "CWE-183", "lang": "en", "description": "CWE-183: Permissive List of Allowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp"}, {"name": "https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39", "tags": ["x_refsource_MISC"], "url": "https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39"}, {"name": "https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba", "tags": ["x_refsource_MISC"], "url": "https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba"}, {"name": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5"}], "affected": [{"vendor": "vshakitskiy", "product": "ewe", "versions": [{"version": ">= 0.6.0, < 3.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:18:55.382Z"}, "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5."}], "source": {"advisory": "GHSA-9w88-79f8-m3vp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T20:03:32.503096Z", "id": "CVE-2026-32881", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:03:41.064Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32881", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T20:03:32.503096Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:03:37.662Z"}}], "cna": {"title": "ewe has an Overly Permissive List of Allowed Inputs", "source": {"advisory": "GHSA-9w88-79f8-m3vp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "vshakitskiy", "product": "ewe", "versions": [{"status": "affected", "version": ">= 0.6.0, < 3.0.5"}]}], "references": [{"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp", "name": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39", "name": "https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba", "name": "https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5", "name": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-183", "description": "CWE-183: Permissive List of Allowed Inputs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:18:55.382Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32881", "state": "PUBLISHED", "dateUpdated": "2026-03-20T20:03:41.064Z", "dateReserved": "2026-03-16T21:03:44.420Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T01:18:55.382Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vshakitskiy:ewe:*:*:*:*:*:*:*:*", "matchCriteriaId": "D14F72FF-5C22-4D38-A4A3-43EC2FCF386D", "versionEndExcluding": "3.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5."}, {"lang": "es", "value": "ewe es un servidor web Gleam. ewe es un servidor web Gleam. Las versiones 0.6.0 a 3.0.4 son vulnerables a la omisi\u00f3n de autenticaci\u00f3n o a encabezados de confianza de proxy falsificados. El manejo de trailers de codificaci\u00f3n de transferencia por bloques fusiona los campos de trailer declarados en req.headers despu\u00e9s del an\u00e1lisis del cuerpo, pero la lista de denegaci\u00f3n solo bloquea 9 nombres de encabezado. Un cliente malicioso puede explotar esto declarando estos encabezados en el campo Trailer y a\u00f1adi\u00e9ndolos despu\u00e9s del \u00faltimo bloque, lo que hace que request.set_header sobrescriba valores leg\u00edtimos (por ejemplo, los establecidos por un proxy inverso). Esto permite a los atacantes falsificar credenciales de autenticaci\u00f3n, secuestrar sesiones, omitir la limitaci\u00f3n de velocidad basada en IP o falsificar encabezados de confianza de proxy en cualquier middleware posterior que lea los encabezados despu\u00e9s de que se llame a ewe.read_body. Este problema ha sido solucionado en la versi\u00f3n 3.0.5."}], "id": "CVE-2026-32881", "lastModified": "2026-03-23T17:03:15.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:36.237", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vshakitskiy/ewe/commit/07dcfd2135fc95f38c17a9d030de3d7efee1ee39"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vshakitskiy/ewe/commit/94ab6e7bf7293e987ae98b4daa51ea131c2671ba"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Product"], "url": "https://github.com/vshakitskiy/ewe/releases/tag/v3.0.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-9w88-79f8-m3vp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-183"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.6.0,3.0.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ewe", "source": "cna", "vendor": "vshakitskiy"}, "product": "ewe", "vendor": "vshakitskiy"}], "analysis": {"en": {"generated_at": "2026-03-23T18:29:02.706374+00:00", "value": {"mitigation_remediation": ["Apply the latest patch by upgrading ewe to version 3.0.5 or newer."], "summary": {"action": "Patch Immediately", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is the Gleam web server named \u201cewe\u201d developed by vshakitskiy. Versions from 0.6.0 up to and including 3.0.4 are vulnerable. The vulnerability was addressed in release 3.0.5, which removes the permissive handling of trailer headers.", "description_and_impact": "The vulnerability resides in the handling of HTTP chunked transfer-encoding trailers by the Gleam web server \u201cewe\u201d. When a request contains a Trailer header that declares additional header fields, the server merges these into the request header table after parsing the body. The whitelist used to block dangerous headers only excludes nine names, leaving the rest open to abuse. A malicious client can therefore send deliberately chosen trailer fields such as X-Forwarded-For, X-Authenticated-User, or other authentication-related headers. Upon receipt, ewe overwrites normal header values set by upstream reverse proxies. The result is that an attacker can forge authentication credentials, hijack user sessions, bypass IP\u2011based rate limiting, or insert proxy\u2011trust headers that downstream middleware will honor. This is effectively an authentication bypass that can lead to privilege escalation and data compromise.", "risk_and_exploitability": "The impact rating is moderate with a CVSS score of 5.3, while the EPSS score indicates a very low probability of exploitation (<1\u202f%). The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, reducing current threat visibility. Attackers can exploit the weakness remotely by forging an HTTP request that includes chunked transfer\u2011encoding trailers. No privilege or authentication is required, so a remote attacker from the internet could potentially prepare a crafted client and send a malicious request. The overall risk is therefore moderate but the likelihood of active exploitation is low."}}}}, "created": "2026-03-20T08:53:38.660254+00:00", "updated": "2026-03-25T14:10:09.990578+00:00", "vendors": ["vshakitskiy", "vshakitskiy$PRODUCT$ewe"]}