Client-supplied URI scheme trusted without transport verification in bandit

Description

A vulnerability classified as critical was found in mtrudel bandit up to 1.10.x on Untrusted. Impacted is the function Elixir.bandit.Pipeline:determine_scheme in the library lib/bandit/pipeline.ex of the component TCP Connection Handler. Such manipulation leads to reliance on untrusted inputs in a security decision. This vulnerability is traded as CVE-2026-39807. The attack may be launched remotely.

Affected Products

Vendor	Product	Versions
mtrudel	bandit	1.0.0, ff2f829326cd5dcf7335939aef9775269d881e28

References

https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-4r2h-f99j(vendor-advisory, related)
https://cna.erlef.org/cves/CVE-2026-39807.html(related)
https://osv.dev/vulnerability/EEF-CVE-2026-39807(related)
https://github.com/mtrudel/bandit/commit/45feea20dea8af7ffd7245271107b695c040e667(patch)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-39807 | mtrudel bandit up to 1.10.x on Untrusted TCP Connection lib/bandit/pipeline.ex Elixir.bandit.Pipeline:determine_scheme reliance on untrusted inputs in a security decision (GHSA-375f-4r2h-f99j / EUVD-2026-26714)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.11.0

CWECWE-807

PublishedMay 1, 2026

Last enriched3h agov2

Trending Score67

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (4)

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated severity to CRITICAL, corrected exploit availability to false, and added new description details.

descriptionseverityactivelyExploited

via VulDB

v111h ago

Initial creation