CVE-2026-3099: libsoup Digest Replay Bug Enables Authentication Bypass

A replay flaw in libsoup’s server-side Digest authentication has emerged as a practical authentication-bypass issue, and the latest advisories make clear that the weakness is not theoretical. The problem sits in SoupAuthDomainDigest, where issued nonces are not properly tracked and the required incrementing nonce-count attribute is not enforced, allowing a captured Authorization header to be reused. In plain terms, one valid login header can become a reusable key if an attacker gets it once. That is exactly the kind of flaw that turns an otherwise ordinary web authentication mechanism into a repeatable access-control failure.

Background​

Libsoup is GNOME’s HTTP client/server library, and it is widely embedded in desktop software, server-side services, and containerized infrastructure that depends on GNOME-adjacent networking stacks. Its authentication code matters because it is often used as a building block rather than an end-user product, which means vulnerabilities can surface in unexpected places. The current advisories tie CVE-2026-3099 to both Red Hat’s vulnerability database and Microsoft’s Security Update Guide, underscoring that this is not merely a niche desktop concern but part of a broader ecosystem issue.
Digest authentication itself is an older mechanism, designed to avoid sending a plaintext password over the wire. Instead of reusing the password directly, the client responds to a server challenge using a nonce and other request-specific values. That design only works if the server rigorously validates those values, especially nonce freshness and nonce-count progression. When those checks weaken, Digest can degrade from a challenge-response protocol into a replay-friendly wrapper around a single captured credential.
The official libsoup documentation shows that server-side authentication is handled through SoupAuthDomainBasic and SoupAuthDomainDigest, with Digest requiring special handling because the server never sees the cleartext password. That architectural separation is important: the server is not verifying a password directly, it is verifying a response derived from server-provided state. If that state is not tracked correctly, the protocol’s assumptions collapse. The vulnerability description indicates that is precisely what happened here.
Red Hat’s advisory record places the issue in the public timeline on February 24, 2026, while the CVE entry was received earlier in March and later updated as analysis matured. The CVE record also links the issue to Red Hat Bugzilla 2442232 and GNOME GitLab issue 495, suggesting active coordination between upstream and downstream maintainers. That pattern is familiar in open-source security response: a bug is identified upstream, packaged into a CVE, then propagated through vendor advisories and product-specific remediation paths.
The core risk is not merely that authentication can fail, but that it can fail reliably. When nonce tracking and nonce-count validation are absent, a single valid header may be enough for repeated unauthorized access. For operators, this changes the response from “monitor for a one-time breach” to “assume durable impersonation until the secret material is rotated and the server logic is fixed.” That is a much more serious operational posture.

---

Overview​

CVE-2026-3099 is best understood as a protocol enforcement failure, not a memory corruption bug or a crash condition. The flaw affects the server-side Digest authentication implementation in libsoup, where the server is supposed to bind each authorization response to a specific challenge and a specific request sequence. Instead, the implementation fails to properly track issued nonces and does not enforce the incrementing nc value that Digest authentication relies on to detect replay. That makes the same captured credential material reusable. (access.redhat.com)
The immediate consequence is an authentication bypass. A remote attacker who obtains one valid Digest Authorization header can replay it repeatedly and be treated as an authenticated user. Because the flaw does not require user interaction and can be exercised remotely, it carries a classic network-facing attack profile. The NVD enrichment shown in the CVE data reflects that risk profile with a high-severity characterization under CVSS 3.x, though Red Hat’s own scoring is lower because it models a more constrained exploitation path. (access.redhat.com)
That scoring difference is worth noting. NIST’s enrichment places the issue at 7.3 HIGH with a no-privileges, no-user-interaction vector, while Red Hat’s vector is lower because it assumes high attack complexity and user interaction. The divergence likely reflects different assumptions about how practical it is to capture a usable header in the wild. The security lesson is still the same: if the header is captured, the replay defense is insufficient, and the server loses its ability to distinguish legitimate use from reuse.
This matters most in environments that still rely on Digest for embedded or legacy services. Digest is sometimes chosen because it looks like a safer alternative to Basic authentication, especially in appliances, local admin portals, and device interfaces where transport security may already be layered underneath. But the flaw shows that protocol choice is only one part of the risk equation; implementation correctness is just as important. A broken Digest implementation can be worse than a simple one, because it offers a false sense of protection.

Why replay defenses matter​

Replay protection exists because authentication is not just about identity, but about time and context. Nonces are intended to make each server challenge unique, while nonce-count values help prove that a header is part of an ongoing sequence rather than a duplicated artifact. If a server does not remember what it issued, or does not reject repeated counts, it cannot tell whether a response is fresh or copied. That is the precise weakness described in CVE-2026-3099. (access.redhat.com)

• A single captured header can become a reusable credential.
• The attacker does not need the original password.
• The server loses the ability to distinguish first use from replay.
• The defense fails silently, which is often worse than a crash.

The deeper implication is that authentication state must be treated as security-critical memory. If the nonce lifecycle is not managed rigorously, the entire trust boundary becomes porous. In a web stack, that can translate into unauthorized access to configuration interfaces, data endpoints, or management APIs.

---

How the Vulnerability Works​

At the center of the bug is libsoup’s SoupAuthDomainDigest server logic. Digest authentication depends on a server-generated nonce and client-maintained counters, but the implementation does not appear to enforce the sequence discipline that the protocol expects. The practical result is that the server may accept repeated use of the same valid authorization header, rather than rejecting it after the first successful request. (access.redhat.com)
That kind of bug is subtle because the request may still look well-formed. The header contains the expected fields, and the response may satisfy the hash calculation. But security is not just cryptography; it is also lifecycle management. If the server does not track issuance and consumption correctly, the same mathematically valid response can be replayed later with no resistance. The flaw therefore sits at the intersection of protocol implementation and application security semantics.

The role of nonce-count​

The nc attribute is supposed to tell the server how many times a client has used a particular nonce. In a robust Digest implementation, the count should increase monotonically, and repeated values should be rejected as suspicious or stale. When that check fails, the server loses replay detection even if the hash math is otherwise correct. That is why this is classified as a replay attack rather than a password-guessing or brute-force issue. (access.redhat.com)

• The nonce binds the challenge to a server-issued token.
• The nonce-count helps prove uniqueness and sequencing.
• Reuse of either can indicate replay.
• Missing enforcement means stale credentials can remain valid.

This is one of those issues where the protocol name can mislead defenders. “Digest” sounds inherently strong, but its security depends on strict server behavior. A server that accepts the same response over and over is not really implementing Digest safely; it is merely parsing Digest syntax.

How attackers would exploit it​

The vulnerability description says the attacker needs to capture a single valid authentication header. That implies interception, logging exposure, proxy compromise, browser cache leakage, or any other path that can reveal a live Authorization header. Once captured, the attacker can resend it and gain access as the legitimate user. The attack therefore becomes more feasible anywhere the network path or client-side telemetry is weakly controlled. (access.redhat.com)

• Intercept one valid header.
• Replay it against the target resource.
• Access protected content without knowing the password.
• Continue replaying until the header expires or the server is fixed.

The operational risk is especially sharp for management endpoints. If a Digest-protected admin UI or embedded service is vulnerable, a stolen header may be enough to maintain control over the resource. That is why replay bugs often become persistence bugs in practice.

---

Affected Ecosystem and Exposure​

The CVE record explicitly associates the issue with GNOME libsoup, and Red Hat’s enriched data shows a broad set of impacted package states across enterprise Linux generations. The data includes Red Hat Enterprise Linux 6, 7, 8, 9, and 10, as well as packages such as libsoup3 and multiple libsoup builds spanning different major distributions. That breadth tells you the vulnerability is not confined to one product line or one version branch. (access.redhat.com)
This matters because libsoup is often a dependency rather than the headline application. A vulnerability in a foundational networking library can propagate into applications that never mention it in their marketing copy. Security teams therefore need to think in terms of dependency inventories, not just top-level package names. A service may be running a vulnerable libsoup build without anyone on the operations team knowing that Digest authentication is even enabled.

Enterprise versus embedded exposure​

For enterprises, the main concern is management surfaces and internal web services that still use Digest for legacy compatibility. Those interfaces may be assumed to be “internal only,” which often leads to reduced monitoring and weaker telemetry. If an attacker gains a foothold on the network, replayable headers can become a lateral movement aid. In a tightly segmented environment, that can be enough to cross a boundary that was supposed to be protected by authentication. (access.redhat.com)
Embedded and appliance environments are different but equally important. Digest is common in device portals because it can be easier to deploy than modern federation and because some clients still expect it. But those environments may be slower to patch, and they often have limited logging. That combination is exactly what turns replay flaws into long-lived exposures.

Why the package list matters​

Red Hat’s security data shows the CVE attached to a substantial set of affected package configurations. That gives defenders a clue about where to look first, even before vendor-specific remediation guidance is consumed. The more package streams a vulnerability touches, the more likely it is to show up in mixed fleets where some servers have been updated and others have not. Consistency becomes the enemy of security debt.

• Mixed versions can hide vulnerable nodes.
• Long-lived branches increase patch lag.
• Dependency chains can obscure direct exposure.
• Internal services may be vulnerable even if public-facing apps are not.

The lesson is straightforward: inventory the library, not just the application. If libsoup is present and Digest authentication is enabled, the security team should assume it is in scope.

---

Severity and Risk Interpretation​

The CVSS picture is instructive because it reveals how different organizations model the same flaw. NIST’s enrichment gives the issue a 7.3 HIGH score with network attack vector, low complexity, and no privileges or user interaction required. Red Hat’s data is more conservative at 5.8 MEDIUM, reflecting higher complexity and requiring user interaction. The gap likely reflects real-world uncertainty around capture conditions and the attacker’s ability to obtain a valid header. (access.redhat.com)
That uncertainty should not be misread as safety. In fact, replay bugs are often harder to score precisely because the exploit chain begins before the visible attack. If a single header is enough, then the severity depends heavily on where and how headers can be observed. In modern enterprise environments, the answer is often “more places than administrators expect,” especially with logging, proxies, browser extensions, packet captures, and reverse engineering of client traffic.

What the scores tell defenders​

The score difference suggests two practical views of the same risk. One view assumes an attacker can trivially capture and replay headers, making the issue broadly exploitable. The other assumes more friction, perhaps because access to a valid header requires user presence or a more complex interception chain. Either way, the exploit still succeeds once the header is in hand. That is the point to remember. (access.redhat.com)

• High-severity ratings imply broad exposure potential.
• Medium ratings often reflect environmental assumptions.
• Both scores still indicate an authentication failure.
• The difference should shape prioritization, not complacency.

For patch management teams, the practical response is to treat the CVE as a priority if Digest authentication is in use anywhere on the network. Even if the exploitation path is not perfectly trivial, the impact of a successful replay is severe enough to justify swift remediation.

A protocol flaw, not a password flaw​

It is tempting to frame authentication issues as credential issues, but that is not what’s happening here. The password may remain secret; the weakness lies in the server’s inability to reject a reused authentication proof. That distinction matters because remediation may require more than password resets. If the server still accepts the same replayable header after a reset, the underlying flaw remains exploitable. Security teams need to address both the implementation and the operational trust model.

---

Vendor Response and Patch Landscape​

Red Hat’s advisory data shows that CVE-2026-3099 is part of a broader stream of 2026 libsoup security activity, and the presence of a linked bug report indicates an upstream-to-downstream remediation path. The CVE was received from Red Hat on March 12, 2026 and later enriched by NVD on March 23, 2026. That timeline implies active post-disclosure review, not a dormant issue. (access.redhat.com)
The existence of a Red Hat advisory and associated package states strongly suggests that backported fixes or mitigations are being distributed through vendor channels. That is the usual model for enterprise Linux ecosystems: rather than waiting for an upstream major release, vendors patch the relevant branches and publish advisories for affected streams. For customers, this means the solution may already be available even if the open-source upstream fix has not yet landed everywhere.

Why downstream advisories matter​

Downstream advisories are especially important for libraries like libsoup because the same source code can appear in many packaged forms. A distribution may carry patches, backports, and version-specific adjustments that diverge from upstream numbering. That means security teams should not rely on upstream version strings alone when triaging exposure. They need to check vendor advisories and package changelogs.

• Check vendor advisory status first.
• Confirm whether your distro backported the fix.
• Validate the installed package build, not just the upstream version.
• Treat “version looks old” and “package is patched” as separate questions.

That distinction is critical in enterprise Linux environments where security fixes are routinely backported into long-term support streams. A package may appear old but still be fixed, or it may look current while carrying an unresolved downstream issue. Only the advisory data can settle that question.

Patch urgency and validation​

Even where a patch is available, operators should validate whether Digest authentication is enabled and whether any workflows depend on it. Some services may be able to disable Digest entirely or migrate to a more modern mechanism. Others may need a direct package update plus configuration review. In either case, the response should include functional testing, because authentication bugs often surface as compatibility issues when remediated.
A sensible validation sequence would be:

• Identify every system using libsoup.
• Determine whether server-side Digest auth is enabled.
• Apply the vendor fix or updated package.
• Test authentication flows and monitor for repeated header acceptance.
• Rotate any credentials or secrets that may have been exposed.

That final step is important because a replay flaw may already have been exploited before patching. If that happened, fixing the code alone does not remove an attacker’s advantage.

---

Historical Context: Why Digest Bugs Keep Happening​

Digest authentication has been around long enough that its security model is well known, yet implementations continue to fail in edge cases. That is because the mechanism is deceptively simple at the surface and surprisingly stateful underneath. The server must remember what it issued, what it accepted, and whether the client’s sequence remains valid. Lose that state, and the protocol becomes easier to replay than many developers assume.
Libsoup has also appeared repeatedly in security discussions because it sits in a sensitive position: it brokers network interactions for GNOME and other software, and its APIs often hide protocol complexity behind straightforward abstractions. That is a strength for developers, but a risk for security reviews. Abstractions can make it easy to use a mechanism without understanding the precise conditions under which it becomes unsafe.

Why older authentication methods still persist​

Digest remains in use because migration is difficult. Enterprises have legacy clients, appliances, and embedded devices that cannot easily adopt token-based or federated authentication. Some environments also prefer Digest because it avoids transmitting the password in cleartext over the application protocol, even if transport encryption is already in place. Those practical constraints keep older mechanisms alive long after newer approaches became available.

• Legacy compatibility keeps Digest on life support.
• Embedded devices often lag behind modern auth patterns.
• Network stack convenience can outweigh protocol elegance.
• Security teams inherit the implementation, not the design intent.

The irony is that what looks like a safer backward-compatible option can become a source of risk if the implementation is brittle. CVE-2026-3099 is a reminder that authentication protocol longevity does not equal security maturity.

The importance of state validation​

Security bugs in stateful protocols often look boring until they are exploited. Replay protection, nonce freshness, and sequence enforcement are easy to overlook because they rarely fail loudly. But they are essential. Once they break, the attacker does not need to crack anything; they simply re-use what was already accepted once. That is why a bug in nonce tracking deserves the same attention as more dramatic exploit classes.

---

Practical Impact for Administrators​

Administrators should treat this issue as a credential replay and impersonation risk rather than a narrow library defect. If any service using libsoup Digest authentication is exposed to untrusted networks, the blast radius can include administrative interfaces, configuration portals, and internal APIs. Even where the surface is “only internal,” compromise of a single network segment can make replay attacks immediately relevant. (access.redhat.com)
Because the flaw is in server-side logic, the usual client-side hygiene does not solve it. Clearing browser cache or rotating a password may not be sufficient if the server continues to accept stale headers. Administrators need to focus on the server package, the authentication mode, and any dependent application that exposes protected endpoints.

Immediate response checklist​

• Inventory all systems using libsoup.
• Identify any use of SoupAuthDomainDigest.
• Apply vendor updates or backported fixes.
• Consider disabling Digest where feasible.
• Rotate credentials if there is any sign of exposure.
• Review logs for repeated use of the same authorization pattern.
• Validate that stale headers are no longer accepted.

A useful operational question is whether Digest is truly necessary. In many cases, the answer is no. If modern authentication is available, the safest route may be to remove the exposure path entirely rather than rely on a legacy protocol whose implementation has already failed once.

Consumer and desktop implications​

For consumer-facing desktop software, the risk is usually indirect but still real. A GNOME-based application or helper service may embed libsoup in a way users never see, yet still inherit the flaw. End users will mostly experience the result through applications that unexpectedly trust stale sessions or exposed local web panels. The danger is less about ordinary browsing and more about software that quietly depends on the library for its networking and admin functions.
For that reason, consumer environments should not dismiss the CVE as “server-only.” In the GNOME ecosystem, server-side auth code can still affect local services and integrated device control panels. The user may not know Digest is there, but the attack path still exists.

---

Strengths and Opportunities​

There are some positive signs in the way this issue is being handled. The advisory trail is visible, the upstream/downstream connection is identifiable, and the problem is specific enough to support targeted remediation. That makes it far easier to fix than a vague denial-of-service issue or an exploit that hides behind broad symptoms. It also gives defenders a clear opportunity to reduce attack surface by modernizing authentication choices. (access.redhat.com)

• The flaw has a clear technical root cause.
• Vendor advisories provide a usable remediation path.
• Affected components can be inventoried by package.
• Digest authentication can often be replaced or disabled.
• The issue highlights where older auth models need review.
• Security teams can use this as a prompt to audit other replay protections.
• The impact is concrete enough to justify fast patching.

One of the biggest opportunities is architectural. Organizations that still depend on Digest can use this event to prioritize migration to stronger authentication patterns, especially where the exposed service is internet-facing or broadly reachable on internal networks. That kind of cleanup often pays dividends beyond the immediate CVE.

---

Risks and Concerns​

The main concern is that replay flaws are easy to underestimate. If defenders assume Digest is “already secure enough,” they may leave exposed services untouched even after disclosure. Another concern is that the exploitation window may be larger than it first appears, because captured headers can come from logs, proxies, browser tooling, or packet captures rather than only from sophisticated interception. (access.redhat.com)

• Replayability can turn one leak into repeated access.
• Legacy services may remain unpatched for long periods.
• Internal exposure is often monitored less aggressively.
• Credential rotation alone may not fix the server-side flaw.
• Mixed package fleets complicate remediation.
• The true blast radius may be hidden by abstraction.
• Attackers can persist if headers remain valid.

A second risk is false confidence from partial patching. If an enterprise updates one package stream but misses a container image, appliance build, or embedded derivative, the vulnerable Digest path may survive somewhere else in the environment. That is why dependency visibility and asset inventory matter as much as the patch itself.

---

Looking Ahead​

The next few weeks should reveal whether upstream libraries and downstream vendors converge on a stable fix and whether additional products surface as affected. Given how widely libsoup is used in GNOME-adjacent software and enterprise packages, it would not be surprising if more advisories or backports appear as maintainers audit their own authentication paths. Security teams should also watch for guidance on whether there are configuration-level mitigations beyond patching.
There is also a broader lesson for application developers. If a protocol depends on server-side state to prevent replay, that state must be treated as a first-class security control. Reusing old authentication patterns without robust state tracking is not a harmless compatibility choice. It is a design decision with real consequences.

What to watch next​

• Upstream libsoup fix details and release notes.
• Vendor backports across enterprise Linux streams.
• Any guidance on disabling Digest authentication.
• Reports of exploitation or proof-of-concept activity.
• Additional products that bundle libsoup in server roles.

If the response to CVE-2026-3099 is handled well, it may become a model for how the ecosystem deals with protocol-layer security bugs: fast advisory publication, clear package mapping, and a push toward removing legacy authentication where it no longer earns its keep. If not, it could become another long-tail replay issue that lingers in overlooked services. Either way, the vulnerability is a sharp reminder that authentication is only as strong as the code that enforces it.
What makes CVE-2026-3099 especially notable is that it weaponizes a familiar assumption: that challenge-response authentication automatically implies replay resistance. Libsoup’s Digest implementation shows why that assumption is dangerous. Once nonce tracking and nonce-count enforcement fail, the protocol stops proving freshness and starts proving little more than prior access. That is enough to justify immediate attention, broad inventorying, and a serious look at whether Digest still belongs anywhere in the modern deployment stack.

---

Source: NVD Security Update Guide - Microsoft Security Response Center