Microsoft's Security Update Guide has begun tracking CVE-2026-8368, a credential-disclosure vulnerability in the Perl library LWP::UserAgent. The flaw, present in all versions prior to 6.83, causes Authorization and Proxy-Authorization headers to be forwarded to unintended hosts during HTTP redirects. Users who rely on this module for authenticated requests—whether on Windows, Linux, or macOS—should update immediately to prevent credentials from leaking to malicious third parties.

The Core Issue: Headers That Follow Redirects

At the heart of CVE-2026-8368 is a behavior that many developers overlook: by default, LWP::UserAgent forwards most request headers when following an HTTP redirect. While this is often necessary for cookies or session identifiers, it becomes a security nightmare when sensitive credentials are in play. If a server responds with a 3xx redirect to a different domain, the original Authorization or Proxy-Authorization header will be sent to the new location. This means that a well-crafted phishing link, a compromised open redirect, or even a legitimate service that redirects to a third-party CDN could capture your Basic, Digest, or Bearer tokens.

The Perl library, part of the libwww-perl distribution, has been a workhorse for automated HTTP interactions since the late 1990s. It powers countless scripts, monitoring tools, and even some enterprise software that leverages Perl on Windows. Its design philosophy favored convenience, and that included automatically following redirects (up to 7 by default, though configurable). Until version 6.83, there was no built-in mechanism to strip Authorization headers on cross-origin redirects. The result: credentials intended for one domain were silently sent to another.

Technical Breakdown: How the Leak Happens

Consider a typical script using LWP::UserAgent to access an internal API:

use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
$ua->credentials('api.example.com:443', 'Internal Realm', 'admin', 'secret');
$ua->get('https://api.example.com/data');

If api.example.com returns a 302 redirect to https://untrusted.example.org/somepath, the GET request to the new URL will include an Authorization: Basic YWRtaW46c2VjcmV0 header. The untrusted.example.org server now has the administrative credentials in plaintext (in the case of Basic auth) or a token that can be replayed. The same applies to Proxy-Authorization headers when a proxy redirects to another destination.

This pattern isn't hypothetical. Open redirects are common in web applications, often arising from poorly validated redirecturi parameters. An attacker who identifies a Perl script that authenticates with LWP::UserAgent can craft a URL that triggers a redirect to a server they control, harvesting credentials with zero interaction beyond making the initial legitimate request. Even without an open redirect, a compromised service upstream can similarly siphon credentials.

The vulnerability is distinct from general information disclosure via referrer headers because the entire Authorization header—credentials and all—is sent in the actual request to the new host. Network traffic analysis tools like Wireshark would plainly show the credentials traversing the wire to an unexpected IP.

Affected Versions and Platforms

All releases of LWP::UserAgent prior to version 6.83 are vulnerable. This includes the versions bundled with many Perl distributions on Windows, such as Strawberry Perl and ActivePerl, as well as those available through CPAN. The libwww-perl module is often installed as a dependency for higher-level tools, so even if you're not writing Perl directly, your system may be affected. For example, Git for Windows ships with Perl and may include an older LWP::UserAgent if not regularly updated.

To check your currently installed version, run:

perl -MLWP::UserAgent -e 'print $LWP::UserAgent::VERSION'

If the output is less than 6.83 (e.g., 6.45, 6.70, 6.72), your environment is at risk.

The Fix: Upgrade to LWP::UserAgent 6.83

The definitive remediation is to upgrade to version 6.83, released by the libwww-perl maintainers. This version introduces a new redirectok callback that, by default, removes Authorization and Proxy-Authorization headers when the host changes between the original request and the redirect target. The logic checks the host portion of the URL, so a redirect from api.example.com to api2.example.com would also be treated as a cross-host redirect and thus sanitized. Subdomain changes are considered different hosts.

To upgrade via CPAN:

cpan upgrade LWP::UserAgent

Or if you're using the cpanm client:

cpanm LWP::[email protected]

Windows users can use the same commands from a Perl-capable shell (such as the one included with Strawberry Perl). If your Perl installation is managed by a system package manager (e.g., apt on Linux via WSL, or Chocolatey on Windows), wait for the updated package to appear or compile from source. The critical thing is to ensure the version number reaches 6.83 or above.

Verifying after upgrade:

perl -MLWP::UserAgent -e 'print $LWP::UserAgent::VERSION'

Should output 6.83 or higher

What If You Can't Upgrade Immediately?

For organizations that need time to test or deploy the upgrade, workarounds exist. The most robust is to explicitly disable automatic redirect following and handle redirections manually, stripping sensitive headers before each request:

my $ua = LWP::UserAgent->new;
$ua->requestsredirectable([]);  # Disable all automatic redirects
my $response = $ua->get($url);
while ($response->isredirect) {
    my $location = $response->header('Location');
    # Manually construct a new request without Authorization
    my $req = HTTP::Request->new(GET => $location);
    # Copy only safe headers from the original response if needed
    $response = $ua->request($req);
}

This approach is cumbersome and error-prone, especially if you rely on multiple versions of HTTP or other features. An alternative is to override the preparerequest method in a subclass to strip the Authorization header whenever the URL changes—but that still requires careful coding. The simplest and safest path is the upgrade.

Microsoft's Security Update Guide notes that for Windows environments where Perl scripts are invoked by system services or scheduled tasks, administrators should inventory all such scripts and verify the LWP::UserAgent version. The guide includes detection logic using PowerShell:

# Find all Perl scripts and check for LWP::UserAgent usage
Get-ChildItem -Path C:\ -Filter *.pl -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern 'LWP::UserAgent' -List

Once identified, ensure the execution context uses the updated module.

Why Is Microsoft Tracking a Perl Vulnerability?

CVE-2026-8368 appears in the Microsoft Security Update Guide because Windows is a supported platform for Perl, and many enterprise workloads—especially in mixed environments—rely on Perl for automation, backend processing, or legacy line-of-business applications. Additionally, Microsoft's own products sometimes ship with Perl or use it internally for build processes; while the guide does not confirm specific affected Microsoft software, tracking the CVE is consistent with their practice of helping customers assess risk across all software installed on Windows.

The advisory does not classify the vulnerability as requiring a Microsoft-published security update (because the fix comes from the upstream maintainers), but it provides detection guidance and urges users to apply the patch. It is listed under the "Software Not Covered by the Microsoft Security Update" section—a category reserved for third-party and open-source components that are widely used on Windows but patched by their respective communities.

Real-World Exploitation Scenarios

Credential-forwarding vulnerabilities have been exploited in the wild for years. In 2021, a similar issue in the popular Python requests library led to the discovery of open redirects being weaponized in supply-chain attacks against internal APIs. Attackers scanned public GitHub repositories for scripts using requests with hardcoded credentials, then probed the targeted services for redirect vectors. A comparable campaign against Perl scripts is now plausible, given the public disclosure of CVE-2026-8368.

CI/CD pipelines are particularly exposed. It's common to find Perl one-liners or small scripts that authenticate to artifact repositories, package registries, or cloud services. If one of those services returns a redirect (even a legitimate one, such as to an S3 pre-signed URL or a CDN), the Authorization header goes with it. A man-in-the-middle proxy or a compromised redirect target can silently exfiltrate tokens that grant write access to production assets.

Additionally, many legacy monitoring solutions deployed on Windows servers use Perl-based plugins that connect to central consoles with HTTP Basic Auth. Upgrading LWP::UserAgent on these systems may be particularly painful due to dependency freezes, but the risk of credential leakage makes it imperative.

Frequently Asked Questions

Does CVE-2026-8368 affect only HTTP Basic Authentication?
No. The Authorization header is forwarded regardless of the scheme—Basic, Digest, Bearer, NTLM, any custom scheme you set. The vulnerability is in the header forwarding behavior, not the authentication scheme itself.

Is the Proxy-Authorization header also leaked?
Yes. If a proxy requires authentication and redirects to another host, the Proxy-Authorization header will be sent to that host. This is less common but still dangerous.

Can I configure redirectok in older versions to mitigate the risk?
Before 6.83, the redirect_ok callback only controls whether a redirect is followed, not which headers are forwarded. You can disable redirects entirely, but there is no built-in mechanism to strip headers selectively.

How do I know if my scripts were affected before I patched?
Audit access logs on servers that handle redirects received from your Perl clients. Look for unexpected Authorization headers arriving from unknown or unexpected hosts. If you have network flow logs, check for outbound connections to unfamiliar IPs following a 3xx response.

Does this affect other languages that use libwww-perl bindings?
Bindings from other languages that call LWP::UserAgent directly (e.g., through XS or FFI) would inherit the behavior. However, pure reimplementations in other languages are not affected.

Action Plan for Windows System Administrators

  1. Inventory Perl scripts: Use the PowerShell snippet above to locate all .pl files and other Perl-related extensions. Don't forget to check scheduled tasks, SQL Server Agent jobs, and old custom services.

  2. Check LWP::UserAgent version: For each environment where Perl is used, run the version check command and document the result.

  3. Update or isolate: For systems where updating to 6.83 is straightforward, perform the upgrade immediately. For legacy systems that cannot be updated, consider network segmentation to limit exposure and implement the manual redirect-disabling workaround.

  4. Rotate credentials: If any script exposed credentials to unauthorized hosts, change those passwords and tokens immediately. This includes service account passwords, API keys, and any secrets embedded in scripts (better yet, migrate those secrets to a vault).

  5. Monitor for abuse: Enable detailed logging on authentication servers and watch for unusual success/failure patterns. For exposed Bearer tokens, check cloud audit logs for unexpected API calls.

The Bigger Picture: Safe Defaults in HTTP Libraries

CVE-2026-8368 joins a lineage of similar vulnerabilities in HTTP clients that chose convenience over security. Over the past decade, Python's requests, Ruby's Net::HTTP, and even some Go HTTP libraries have had to fix credential-stripping logic on redirects. The recurring lesson is that libraries should not assume that forwarding all headers is safe when the destination changes. The libwww-perl maintainers have now aligned with modern best practices by making cross-host redaction the default, but it took a CVE to force the change.

For developers, the takeaway is clear: never rely on default redirect behavior with sensitive headers. Always explicitly define what gets forwarded. For the many Windows administrators running Perl in dark corners of their infrastructure, the immediate task is patching. The fix is one CPAN command away.