CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-5078

CVE-2026-5078: Log Forging and Injection via :remote-user Token in Morgan Logging Middleware

Alon Barad
Alon Barad
Software Engineer

Jul 10, 2026·7 min read·5 visits

Executive Summary (TL;DR)

Unauthenticated remote log injection in Morgan middleware (versions 1.2.0-1.10.1) due to improper sanitization of basic authentication credentials. Upgrading to version 1.11.0 remediates the vulnerability.

CVE-2026-5078 is a log injection vulnerability in Morgan, the widely deployed Node.js HTTP request logging middleware. The vulnerability arises because the ':remote-user' logging token decodes and outputs basic authentication usernames containing control characters, such as Carriage Return (CR) and Line Feed (LF), without sanitization. An unauthenticated attacker can bypass native HTTP header parsers by Base64-encoding CRLF sequences in the Authorization header. When Morgan logs the request, these control characters force newlines in the log stream, enabling log forging, SIEM evasion, and system activity spoofing.

Vulnerability Overview

Morgan is a highly utilized HTTP request logger middleware for Node.js, designed to intercept incoming HTTP requests and output standardized access logs. It is frequently integrated with frameworks like Express and Connect. To generate log records, Morgan relies on predefined tokens such as :method, :status, :url, and :remote-user. The :remote-user token is designed to extract and display the username of an authenticated client using basic HTTP authentication.

The vulnerability, registered as CVE-2026-5078, belongs to the Improper Output Neutralization for Logs class (CWE-117). In vulnerable versions of the middleware (1.2.0 through 1.10.1), Morgan outputs the authenticated username directly to the logging destination without sanitizing control characters. This lack of sanitization allows an attacker to inject Carriage Return (\r) and Line Feed (\n) characters into the log file, creating arbitrary new lines.

Centralized logging infrastructures and security information and event management (SIEM) systems process logs under the assumption that a single line represents a single request. By introducing unescaped CRLF sequences, an unauthenticated remote attacker can break this line-oriented structure. The primary security boundary violated here is log integrity, allowing attackers to write false system events or corrupt log parsing engines.

Root Cause Analysis

The underlying flaw stems from the design of basic HTTP authentication and how Node.js processes incoming headers. Native Node.js HTTP parsers strictly validate incoming HTTP header lines. If raw CRLF characters are sent within an HTTP header, the parser rejects the malformed request to prevent HTTP request smuggling and header injection attacks. This network-level filter protects downstream application logic from direct injection of raw newlines.

However, basic authentication credentials are submitted via the Authorization: Basic <base64> header, where the credentials are encapsulated within a Base64-encoded string. Because Base64 encoding uses a safe, alphanumeric character set (A-Z, a-z, 0-9, +, /, =), the payload successfully bypasses all front-end HTTP parser validation routines. The request reaches the application logic where the Morgan middleware attempts to parse the header.

Morgan uses the third-party basic-auth library to decode the Base64 value and extract the username and password fields. When basic-auth decodes the string, the embedded CRLF sequences are restored to their raw byte representation. Because Morgan historically logged the returned username directly without escaping control characters, these raw CRLF bytes were written straight to the output stream (such as process.stdout or an active log file), ending the current log line prematurely and initiating a new, attacker-controlled line.

Code Analysis

In vulnerable versions of Morgan, the definition of the :remote-user token was defined in index.js as follows:

morgan.token('remote-user', function getRemoteUserToken (req) {
  var credentials = auth(req)
 
  // return username
  return credentials
    ? credentials.name
    : undefined
})

In this implementation, the credentials.name value (extracted from the basic-auth helper) is returned exactly as parsed. There is no sanitization or escaping applied before returning this string to the formatting engine.

To resolve this vulnerability, the maintainers introduced a validation and sanitization utility function named escapeLogField in commit b3f5d9bdb388690dfae9c06ab966328f49b7982b. This function targets all control characters and backslashes:

/**
 * Escape control characters and backslashes so a value is safe for
 * line-oriented logs.
 * @private
 *
 * @param {*} value Value to escape.
 * @returns {string|undefined} Escaped string, or undefined for null/undefined.
 */
function escapeLogField (value) {
  if (value == null) return undefined
 
  // eslint-disable-next-line no-control-regex
  return String(value).replace(/[\u0000-\u001f\u007f\\]/g, function (ch) {
    switch (ch) {
      case '\\': return '\\\\'
      case '\b': return '\\b'
      case '\f': return '\\f'
      case '\n': return '\\n'
      case '\r': return '\\r'
      case '\t': return '\\t'
      default:
        return '\\u' + ('0000' + ch.charCodeAt(0).toString(16)).slice(-4)
    }
  })
}

The updated :remote-user token definition wraps the credential return in this sanitizer, converting raw CRLF bytes into literal \r and \n character pairs:

morgan.token('remote-user', function getRemoteUserToken (req) {
  var credentials = auth(req)
 
  // return username
  return credentials
    ? escapeLogField(credentials.name)
    : undefined
})

Exploitation Methodology

An unauthenticated attacker can exploit this vulnerability by transmitting a specifically constructed Authorization: Basic header. To perform line splitting and log injection, the attacker constructs a username containing raw Carriage Return and Line Feed bytes, encodes the payload to Base64, and appends it to the authorization request.

Consider a basic logging layout where Morgan utilizes the standard common or combined format. The template expects: [IP] - [Username] [[Timestamp]] "[Request]" [Status]. To inject a fake entry, the attacker formats a username containing the desired fake parameters preceded by a newline sequence:

- [01/Jan/1970 00-00-00 +0000] "GET /injected HTTP/1.1" 200 - "-" "curl/8.14.1"\r\n192.0.2.0 - - :x

This payload is converted to its Base64 representation:

LSBbMDEvSmFuLzE5NzAgMDAtMDAtMDAgKzAwMDBdICJHRVQgL2luamVjdGVkIEhUVFAvMS4xIiAyMDAgLSAiLSIgImN1cmwvOC4xNC4xIg0KMTkyLjAuMi4wIC0gLSA6eA==

The attacker then transmits the following HTTP request to the target application:

GET / HTTP/1.1
Host: target-server.internal
Authorization: Basic LSBbMDEvSmFuLzE5NzAgMDAtMDAtMDAgKzAwMDBdICJHRVQgL2luamVjdGVkIEhUVFAvMS4xIiAyMDAgLSAiLSIgImN1cmwvOC4xNC4xIg0KMTkyLjAuMi4wIC0gLSA6eA==

Because the raw newline sequence terminates the line in the target log storage, the log parser processes two separate lines. The first line records the incoming connection as if it originated from a spoofed IP (e.g., 192.0.2.0), pretending a legitimate GET /injected request occurred successfully. The second line contains the remainder of the actual request, obfuscating the actual source IP and requested URI of the attacker.

Impact Assessment

The impact of CVE-2026-5078 is primarily centered around log integrity and security auditing evasion. While it does not directly lead to remote code execution or unauthorized data extraction on its own, it severely undermines the reliability of application security monitoring.

In modern enterprise architectures, access logs are automatically aggregated and ingested by SIEM platforms to trigger security alerts, track administrative access, and generate compliance reports. Successful exploitation allows an attacker to insert forged security alerts or fake successful actions, distracting incident response teams with false-positive events. Alternatively, attackers can mask their actual malicious actions by wrapping their real activity in forged formatting that mimics routine health checks or administrative tasks.

Furthermore, if the raw log files are viewed directly in terminals, unescaped ANSI escape sequences or control codes included in the username could exploit terminal emulator vulnerabilities, or simply confuse system administrators. The CVSS 3.1 base score of 5.3 reflects that while confidentiality and availability remain unaffected, log integrity can be completely compromised by an unauthenticated network adversary.

Remediation & Detection

Remediation of CVE-2026-5078 requires updating the morgan dependency to version 1.11.0 or higher, which integrates the escapeLogField sanitization utility. Application administrators can perform the upgrade by executing:

npm install morgan@1.11.0

If upgrading the library is not immediately viable, administrators should temporarily alter their logging configuration. Replacing pre-configured formats like combined or common with a custom format that completely omits the :remote-user token removes the injection vector. For example:

// Secure workaround: Omit :remote-user token
app.use(morgan(':remote-addr - :method :url :status :response-time ms'));

To detect historical exploitation attempts, security operations teams should query SIEM datastores for literal representations of control characters (e.g., \\r\\n or \\u000d\\u000a) within the username logging field. Since the patched version of Morgan writes these as literal escaped string sequences, the presence of these literals in the log stream highlights that an exploitation attempt was executed and successfully neutralized by the patch.

Official Patches

Morgan ProjectCode fix introducing character escaping logic.
OpenJS FoundationOfficial OpenJS Foundation security advisory record.

Fix Analysis (2)

Technical Appendix

CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Probability
0.25%
Top 84% most exploited

Affected Systems

Node.js applications using Morgan middleware versions 1.2.0 through 1.10.1 configured with log formats that include the :remote-user token.

Affected Versions Detail

Product
Affected Versions
Fixed Version
morgan
OpenJS Foundation
>= 1.2.0, <= 1.10.11.11.0
AttributeDetail
CWE IDCWE-117 (Improper Output Neutralization for Logs)
Attack VectorNetwork (Remote, Unauthenticated)
CVSS v3.1 Score5.3 (Medium)
EPSS Score0.00246
Exploit StatusProof-of-Concept
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1565.001Data Manipulation: Stored Data Manipulation
Impact
T1070.002Indicator Removal on Host: Clear Linux System Logs
Defense Evasion
CWE-117
Improper Output Neutralization for Logs

The software does not neutralize or incorrectly neutralizes output that is written to logs, which can allow an attacker to forge log entries or inject malicious content.

Known Exploits & Detection

GitHub Security AdvisoryProof of concept showcasing unit tests and raw payloads to trigger unescaped carriage returns and log parsing issues.

References & Sources

  • [1]GitHub Security Advisory GHSA-4vj7-5mj6-jm8m
  • [2]OpenJS Foundation Security Advisories
  • [3]NVD Vulnerability Details: CVE-2026-5078
  • [4]CVE Org Record: CVE-2026-5078

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•43 minutes ago•CVE-2026-49866
7.5

CVE-2026-49866: CPU-Based Denial of Service in @libp2p/gossipsub Protobuf Parser

A high-severity denial-of-service vulnerability in @libp2p/gossipsub prior to version 16.0.0 allows unauthenticated remote attackers to trigger event loop starvation and complete node freeze by exploiting unbounded protobuf decoding limits and nested synchronous array iteration loops.

Amit Schendel
Amit Schendel
2 views•6 min read
•about 2 hours ago•CVE-2026-49858
5.9

CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers

CVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.

Alon Barad
Alon Barad
4 views•7 min read
•about 13 hours ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 14 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 14 hours ago•CVE-2026-49754
8.2

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 15 hours ago•CVE-2026-48596
2.1

CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.

Alon Barad
Alon Barad
5 views•6 min read