CVE-2026-39807: Transport-State Spoofing via Untrusted URI Scheme in Bandit HTTP Server

Bandit is an HTTP server written in Elixir, responsible for accepting client connections and generating a Plug.Conn struct for downstream application logic. The conn.scheme attribute communicates the security context of the connection to the application.

CVE-2026-39807 is a transport-state spoofing vulnerability categorized as CWE-807 (Reliance on Untrusted Inputs in a Security Decision). The server incorrectly prioritizes the URI scheme supplied by the client over the verified state of the underlying transport layer.

This architecture failure permits unencrypted HTTP connections to present themselves as secure HTTPS connections within the application context. Downstream middleware relies on this spoofed context to make security decisions, resulting in multiple logic bypasses.

The vulnerability originates from a regression introduced in June 2023 via commit ff2f8293. The function Bandit.Pipeline.determine_scheme/2 in lib/bandit/pipeline.ex processes incoming request metadata to populate the Plug.Conn struct.

The function implementation evaluated a tuple containing both the transport adapter's secure? boolean and the client-supplied scheme. The final case match in this function blindly extracted the client-supplied scheme.

By matching on the client-supplied data irrespective of the secure? flag, the pipeline elevated an untrusted header to an authoritative state property. The transport layer's native encryption state was explicitly discarded.

The vulnerable code in lib/bandit/pipeline.ex demonstrates the flaw in prioritization. The third match arm returns the client-provided scheme regardless of the physical secure? transport status.

# lib/bandit/pipeline.ex (Vulnerable)
defp determine_scheme({secure?, _, _, _}, {scheme, _, _, _}) do
  case {scheme, secure?} do
    {nil, true} -> {:ok, "https"}
    {nil, false} -> {:ok, "http"}
    {scheme, _} -> {:ok, scheme}  # Vulnerability: Accepts client scheme
  end
end

Commit 45feea20dea8af7ffd7245271107b695c040e667 resolves this behavior by entirely removing the client scheme parameter from the evaluation function.

# lib/bandit/pipeline.ex (Fixed)
@spec determine_scheme(boolean()) :: String.t()
defp determine_scheme(true), do: "https"
defp determine_scheme(false), do: "http"

The patched version guarantees that the application scheme strictly mirrors the transport layer's physical configuration, eliminating the influence of client headers.

Exploitation requires network access to a plaintext port served by Bandit. The attacker initiates a standard TCP connection without TLS negotiation.

The attacker issues an HTTP/1.1 absolute-form request target or an HTTP/2 request with a manipulated :scheme pseudo-header. The absolute-form syntax explicitly specifies the https scheme in the request line.

GET https://target-server.internal/restricted-endpoint HTTP/1.1
Host: target-server.internal

Bandit processes this payload and populates the Plug.Conn struct with scheme: :https. The connection proceeds through the application pipeline possessing a falsified security context.

The spoofed scheme systematically bypasses Elixir security middleware. The Plug.SSL module validates conn.scheme to enforce HTTP-to-HTTPS redirection. Under exploitation, Plug.SSL observes the spoofed :https value and skips the redirection block.

Authentication mechanisms that issue session cookies with the secure: true flag will transmit these tokens over the unencrypted connection. The application operates under the false assumption that it is writing to an encrypted socket.

Network interceptors or adversaries positioned on the local network segment can capture these secure session tokens. CSRF prevention mechanisms and SameSite cookie validations that perform origin scheme matching are similarly bypassed.

The primary remediation is upgrading the bandit dependency to version 1.11.0. This version contains the logic patch that strictly ties the scheme to the underlying transport security state.

Administrators who cannot immediately patch must deploy compensating controls. Reverse proxies placed in front of Bandit can rewrite the HTTP request lines to strip absolute-form targets.

Disabling all plaintext listeners on the Bandit server eliminates the attack vector entirely. When Bandit only listens on TLS-enabled sockets, the secure? flag is permanently true, nullifying the scheme spoofing objective.