{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34226", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.033Z", "datePublished": "2026-03-27T21:17:24.777Z", "dateUpdated": "2026-03-31T14:25:27.402Z"}, "containers": {"cna": {"title": "Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies", "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "lang": "en", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-359", "lang": "en", "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g"}, {"name": "https://github.com/capricorn86/happy-dom/pull/2117", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/pull/2117"}, {"name": "https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751"}, {"name": "https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts"}, {"name": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9"}], "affected": [{"vendor": "capricorn86", "product": "happy-dom", "versions": [{"version": "< 20.8.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:17:24.777Z"}, "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: \"include\" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue."}], "source": {"advisory": "GHSA-w4gp-fjgq-3q4g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:25:16.015238Z", "id": "CVE-2026-34226", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:25:27.402Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34226", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:25:16.015238Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:25:24.297Z"}}], "cna": {"title": "Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies", "source": {"advisory": "GHSA-w4gp-fjgq-3q4g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "capricorn86", "product": "happy-dom", "versions": [{"status": "affected", "version": "< 20.8.9"}]}], "references": [{"url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g", "name": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/capricorn86/happy-dom/pull/2117", "name": "https://github.com/capricorn86/happy-dom/pull/2117", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751", "name": "https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts", "name": "https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9", "name": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: \"include\" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-359", "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:17:24.777Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34226", "state": "PUBLISHED", "dateUpdated": "2026-03-31T14:25:27.402Z", "dateReserved": "2026-03-26T16:22:29.033Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T21:17:24.777Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:capricorn86:happy_dom:*:*:*:*:*:nodejs:*:*", "matchCriteriaId": "F247E3AB-3479-46B8-8FAE-703193780558", "versionEndExcluding": "20.8.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: \"include\" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue."}], "id": "CVE-2026-34226", "lastModified": "2026-04-01T13:26:49.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T22:16:23.113", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/capricorn86/happy-dom/pull/2117"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}, {"lang": "en", "value": "CWE-359"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "happy-dom: Happy DOM: Information disclosure via incorrect cookie handling in fetch requests", "id": "2452519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452519"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-201", "details": ["Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: \"include\" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.", "A flaw was found in Happy DOM, a JavaScript implementation of a web browser without its graphical user interface. This vulnerability allows for information disclosure where cookies from the current page's origin can be inadvertently attached to network requests made to a different destination. This occurs when the `fetch` function is used with the `credentials: \"include\"` option, potentially leading to the leakage of sensitive user data to unintended recipients."], "name": "CVE-2026-34226", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-ui-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-27T21:17:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34226\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34226\nhttps://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts\nhttps://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751\nhttps://github.com/capricorn86/happy-dom/pull/2117\nhttps://github.com/capricorn86/happy-dom/releases/tag/v20.8.9\nhttps://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,20.8.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "happy-dom", "source": "cna", "vendor": "capricorn86"}, "product": "happy-dom", "vendor": "capricorn86"}], "analysis": {"en": {"generated_at": "2026-04-02T05:15:42.780607+00:00", "value": {"mitigation_remediation": ["Upgrade Happy DOM to version 20.8.9 or later."], "summary": {"action": "Immediate Patch", "impact": "Credential leakage via cross\u2011origin cookie exposure"}, "threat_synthesis": {"affected_systems": "Happy DOM releases by Capricorn86 versions prior to 20.8.9 are affected. The implementation is a Node.js JavaScript environment used for server\u2011side rendering and automated browsing.", "description_and_impact": "Happy DOM\u2019s fetch implementation incorrectly uses the page origin\u2019s cookies instead of the target URL\u2019s when the option credentials: \"include\" is set. This can result in cookies from origin A being sent to origin B, exposing sensitive session information. The weakness corresponds to information exposure weaknesses (CWE\u2011201, CWE\u2011359).", "risk_and_exploitability": "The CVSS score of 7.5 signals high severity, while the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Because the flaw lies within client\u2011side JavaScript executing inside Happy DOM, an attacker would need to inject or run code that calls fetch(..., {credentials: \"include\"}) to a resource on a different origin; this inference is made from the description that the issue occurs when credentials: \"include\" is used, but the CVE does not detail the exact attack context. The risk to applications using Happy DOM for server\u2011side rendering or automated browsing is moderate, especially if the code processes untrusted input."}}}}, "created": "2026-03-29T20:29:45.281296+00:00", "updated": "2026-04-02T07:55:19.665805+00:00", "vendors": ["capricorn86", "capricorn86$PRODUCT$happy-dom"]}