Security Advisory: Two Vulnerabilities in the Guzzle PHP HTTP Client (CVE-2026-55568 and CVE-2026-55767) — Relevant Because of Its Spread Across PHP Libraries

Guzzle is one of the most widely used HTTP clients in the PHP ecosystem and is relied upon by countless applications, frameworks and extensions to make outgoing HTTP requests. Because the library is so frequently pulled in as an indirect dependency through the Composer package manager, it is present in many projects without the operators ever having consciously chosen it — and in the world of WordPress and Shopware, too, it appears in numerous plugins, modules and integrations. It is precisely for this reason that the two vulnerabilities described below deserve attention even though their rating is only moderate: their reach stems less from the severity of the individual flaw than from the sheer prevalence of the affected component. Both vulnerabilities are fixed in Guzzle 7.12.1.

CVE-2026-55568 — Unencrypted Traffic to the HTTPS Proxy

In certain configurations, traffic that should be protected by TLS on the hop to the proxy is transmitted in cleartext in all versions before 7.12.1. Specifically, the proxy credentials — that is, the Proxy-Authorization header or the credentials stored in the proxy URL — are sent without encryption, and the target host and port of the tunnelled HTTPS request are exposed as well. An application is affected when it issues its requests through Guzzle’s default cURL handlers, configures an https:// proxy in the expectation that the connection to the proxy itself is encrypted, and at the same time runs on a version of libcurl older than 7.50.2, which silently treats an https:// proxy as an unencrypted http:// proxy. The National Vulnerability Database rates the vulnerability at a CVSS score of 5.9, and operators should update Guzzle to version 7.12.1 or newer and, where possible, additionally run an up-to-date version of libcurl.

Sources: National Vulnerability Database — CVE-2026-55568 · GitHub Security Advisory GHSA-wpwq-4j6v-78m3

CVE-2026-55767 — Faulty Domain Check in the CookieJar

In all versions before 7.12.1, Guzzle’s CookieJar incorrectly accepts cookies whose Domain attribute consists only of a single dot or is padded with whitespace. Because the internal processing strips leading dots from the cookie domain and thereby normalises such values to an empty string, while the validation only rejected a strictly empty domain, cookies of this kind could be stored and subsequently treated as if they matched any request host whatsoever. When an application uses a shared cookie store and with it also contacts an attacker-controlled endpoint, that endpoint can set a cookie which Guzzle later sends along to entirely unrelated hosts, which — depending on how the downstream services interpret it — enables cookie injection or session fixation. The National Vulnerability Database rates the vulnerability at a CVSS score of 5.8, and here, too, updating to version 7.12.1 is the decisive countermeasure.

Sources: National Vulnerability Database — CVE-2026-55767 · GitHub Security Advisory GHSA-cwxw-98qj-8qjx

Why this may concern you as well

Even if you do not consciously use Guzzle, the library is very likely present as an indirect dependency in your project, because many common packages require it in turn. Whether and in which version Guzzle is included is most reliably determined from the composer.lock file or with the command composer show guzzlehttp/guzzle; anyone who wants to find out which package pulls the dependency in at all can use composer why guzzlehttp/guzzle for that purpose. Afterwards, make sure that at least version 7.12.1 is installed and, if necessary, trigger an update via composer update guzzlehttp/guzzle.

Not sure whether you’re affected? Get in touch.

---

This advisory is provided for security awareness. The official advisories from the Guzzle project and the sources linked above always take precedence.