Jul 10, 2026·7 min read·5 visits
Unauthenticated remote log injection in Morgan middleware (versions 1.2.0-1.10.1) due to improper sanitization of basic authentication credentials. Upgrading to version 1.11.0 remediates the vulnerability.
CVE-2026-5078 is a log injection vulnerability in Morgan, the widely deployed Node.js HTTP request logging middleware. The vulnerability arises because the ':remote-user' logging token decodes and outputs basic authentication usernames containing control characters, such as Carriage Return (CR) and Line Feed (LF), without sanitization. An unauthenticated attacker can bypass native HTTP header parsers by Base64-encoding CRLF sequences in the Authorization header. When Morgan logs the request, these control characters force newlines in the log stream, enabling log forging, SIEM evasion, and system activity spoofing.
Morgan is a highly utilized HTTP request logger middleware for Node.js, designed to intercept incoming HTTP requests and output standardized access logs. It is frequently integrated with frameworks like Express and Connect. To generate log records, Morgan relies on predefined tokens such as :method, :status, :url, and :remote-user. The :remote-user token is designed to extract and display the username of an authenticated client using basic HTTP authentication.
The vulnerability, registered as CVE-2026-5078, belongs to the Improper Output Neutralization for Logs class (CWE-117). In vulnerable versions of the middleware (1.2.0 through 1.10.1), Morgan outputs the authenticated username directly to the logging destination without sanitizing control characters. This lack of sanitization allows an attacker to inject Carriage Return (\r) and Line Feed (\n) characters into the log file, creating arbitrary new lines.
Centralized logging infrastructures and security information and event management (SIEM) systems process logs under the assumption that a single line represents a single request. By introducing unescaped CRLF sequences, an unauthenticated remote attacker can break this line-oriented structure. The primary security boundary violated here is log integrity, allowing attackers to write false system events or corrupt log parsing engines.
The underlying flaw stems from the design of basic HTTP authentication and how Node.js processes incoming headers. Native Node.js HTTP parsers strictly validate incoming HTTP header lines. If raw CRLF characters are sent within an HTTP header, the parser rejects the malformed request to prevent HTTP request smuggling and header injection attacks. This network-level filter protects downstream application logic from direct injection of raw newlines.
However, basic authentication credentials are submitted via the Authorization: Basic <base64> header, where the credentials are encapsulated within a Base64-encoded string. Because Base64 encoding uses a safe, alphanumeric character set (A-Z, a-z, 0-9, +, /, =), the payload successfully bypasses all front-end HTTP parser validation routines. The request reaches the application logic where the Morgan middleware attempts to parse the header.
Morgan uses the third-party basic-auth library to decode the Base64 value and extract the username and password fields. When basic-auth decodes the string, the embedded CRLF sequences are restored to their raw byte representation. Because Morgan historically logged the returned username directly without escaping control characters, these raw CRLF bytes were written straight to the output stream (such as process.stdout or an active log file), ending the current log line prematurely and initiating a new, attacker-controlled line.
In vulnerable versions of Morgan, the definition of the :remote-user token was defined in index.js as follows:
morgan.token('remote-user', function getRemoteUserToken (req) {
var credentials = auth(req)
// return username
return credentials
? credentials.name
: undefined
})In this implementation, the credentials.name value (extracted from the basic-auth helper) is returned exactly as parsed. There is no sanitization or escaping applied before returning this string to the formatting engine.
To resolve this vulnerability, the maintainers introduced a validation and sanitization utility function named escapeLogField in commit b3f5d9bdb388690dfae9c06ab966328f49b7982b. This function targets all control characters and backslashes:
/**
* Escape control characters and backslashes so a value is safe for
* line-oriented logs.
* @private
*
* @param {*} value Value to escape.
* @returns {string|undefined} Escaped string, or undefined for null/undefined.
*/
function escapeLogField (value) {
if (value == null) return undefined
// eslint-disable-next-line no-control-regex
return String(value).replace(/[\u0000-\u001f\u007f\\]/g, function (ch) {
switch (ch) {
case '\\': return '\\\\'
case '\b': return '\\b'
case '\f': return '\\f'
case '\n': return '\\n'
case '\r': return '\\r'
case '\t': return '\\t'
default:
return '\\u' + ('0000' + ch.charCodeAt(0).toString(16)).slice(-4)
}
})
}The updated :remote-user token definition wraps the credential return in this sanitizer, converting raw CRLF bytes into literal \r and \n character pairs:
morgan.token('remote-user', function getRemoteUserToken (req) {
var credentials = auth(req)
// return username
return credentials
? escapeLogField(credentials.name)
: undefined
})An unauthenticated attacker can exploit this vulnerability by transmitting a specifically constructed Authorization: Basic header. To perform line splitting and log injection, the attacker constructs a username containing raw Carriage Return and Line Feed bytes, encodes the payload to Base64, and appends it to the authorization request.
Consider a basic logging layout where Morgan utilizes the standard common or combined format. The template expects: [IP] - [Username] [[Timestamp]] "[Request]" [Status]. To inject a fake entry, the attacker formats a username containing the desired fake parameters preceded by a newline sequence:
- [01/Jan/1970 00-00-00 +0000] "GET /injected HTTP/1.1" 200 - "-" "curl/8.14.1"\r\n192.0.2.0 - - :xThis payload is converted to its Base64 representation:
LSBbMDEvSmFuLzE5NzAgMDAtMDAtMDAgKzAwMDBdICJHRVQgL2luamVjdGVkIEhUVFAvMS4xIiAyMDAgLSAiLSIgImN1cmwvOC4xNC4xIg0KMTkyLjAuMi4wIC0gLSA6eA==The attacker then transmits the following HTTP request to the target application:
GET / HTTP/1.1
Host: target-server.internal
Authorization: Basic LSBbMDEvSmFuLzE5NzAgMDAtMDAtMDAgKzAwMDBdICJHRVQgL2luamVjdGVkIEhUVFAvMS4xIiAyMDAgLSAiLSIgImN1cmwvOC4xNC4xIg0KMTkyLjAuMi4wIC0gLSA6eA==Because the raw newline sequence terminates the line in the target log storage, the log parser processes two separate lines. The first line records the incoming connection as if it originated from a spoofed IP (e.g., 192.0.2.0), pretending a legitimate GET /injected request occurred successfully. The second line contains the remainder of the actual request, obfuscating the actual source IP and requested URI of the attacker.
The impact of CVE-2026-5078 is primarily centered around log integrity and security auditing evasion. While it does not directly lead to remote code execution or unauthorized data extraction on its own, it severely undermines the reliability of application security monitoring.
In modern enterprise architectures, access logs are automatically aggregated and ingested by SIEM platforms to trigger security alerts, track administrative access, and generate compliance reports. Successful exploitation allows an attacker to insert forged security alerts or fake successful actions, distracting incident response teams with false-positive events. Alternatively, attackers can mask their actual malicious actions by wrapping their real activity in forged formatting that mimics routine health checks or administrative tasks.
Furthermore, if the raw log files are viewed directly in terminals, unescaped ANSI escape sequences or control codes included in the username could exploit terminal emulator vulnerabilities, or simply confuse system administrators. The CVSS 3.1 base score of 5.3 reflects that while confidentiality and availability remain unaffected, log integrity can be completely compromised by an unauthenticated network adversary.
Remediation of CVE-2026-5078 requires updating the morgan dependency to version 1.11.0 or higher, which integrates the escapeLogField sanitization utility. Application administrators can perform the upgrade by executing:
npm install morgan@1.11.0If upgrading the library is not immediately viable, administrators should temporarily alter their logging configuration. Replacing pre-configured formats like combined or common with a custom format that completely omits the :remote-user token removes the injection vector. For example:
// Secure workaround: Omit :remote-user token
app.use(morgan(':remote-addr - :method :url :status :response-time ms'));To detect historical exploitation attempts, security operations teams should query SIEM datastores for literal representations of control characters (e.g., \\r\\n or \\u000d\\u000a) within the username logging field. Since the patched version of Morgan writes these as literal escaped string sequences, the presence of these literals in the log stream highlights that an exploitation attempt was executed and successfully neutralized by the patch.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
morgan OpenJS Foundation | >= 1.2.0, <= 1.10.1 | 1.11.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-117 (Improper Output Neutralization for Logs) |
| Attack Vector | Network (Remote, Unauthenticated) |
| CVSS v3.1 Score | 5.3 (Medium) |
| EPSS Score | 0.00246 |
| Exploit Status | Proof-of-Concept |
| CISA KEV Status | Not Listed |
The software does not neutralize or incorrectly neutralizes output that is written to logs, which can allow an attacker to forge log entries or inject malicious content.
A high-severity denial-of-service vulnerability in @libp2p/gossipsub prior to version 16.0.0 allows unauthenticated remote attackers to trigger event loop starvation and complete node freeze by exploiting unbounded protobuf decoding limits and nested synchronous array iteration loops.
CVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.
CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.
An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.
An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.
CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.