cve-2026-3099

CVE-2026-3099 is a security vulnerability in libsoup's server-side Digest authentication. The flaw resides in SoupAuthDomainDigest, where issued nonces are not properly tracked and the required incrementing nonce-count attribute is not enforced. This allows a captured Authorization header to be reused, enabling an attacker to bypass authentication by replaying a valid login header. The vulnerability turns a standard web authentication mechanism into a repeatable access-control failure. Discussions on WindowsForum cover the technical details, impact, and mitigation strategies for this authentication bypass issue.