CVE-2026-5078: Morgan Middleware Log Injection via Basic Auth Username
Morgan, a popular Node.js HTTP request logging middleware, has a vulnerability in how it handles usernames from HTTP Basic authentication. When processing login attempts, the logging middleware extracts the username and writes it to application logs without sanitizing special control characters like line breaks. An attacker can craft a fake login attempt with hidden line-break characters embedded in the username field, causing the log entry to split across multiple lines and appearing to contain forged log records. This can deceive downstream systems that rely on logs for security monitoring or compliance auditing.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-117
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF bytes to inject forged log lines, breaking the one-request-per-line structure of access logs and enabling log forgery against downstream log consumers. The built-in combined, common, default, and short formats are affected, as well as any custom format that references :remote-user. Affected versions: morgan 1.2.0 through 1.10.1. Patches: upgrade to morgan 1.11.0, which neutralizes control characters in the :remote-user token output. Workarounds: use a custom format string that does not include :remote-user.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-5078 is an improper neutralization of input during log generation vulnerability (CWE-117) in morgan versions 1.2.0 through 1.10.1. The :remote-user token, which extracts the Basic authentication username from the Authorization header, is written directly to the log output stream without sanitization of control characters (CR/LF). An unauthenticated attacker can inject CRLF sequences via the Authorization header to break the one-request-per-line contract of access logs and forge arbitrary log entries. All default log formats (combined, common, default, short) are affected, along with any custom format referencing :remote-user. Morgan 1.11.0 remediates this by neutralizing control characters in the :remote-user token output.
Business impact
Log injection vulnerabilities undermine the integrity of access logs, a critical control for security investigations, incident response, and compliance auditing (GDPR, PCI-DSS, SOC 2). Forged log entries can mask attacker activity, create false evidence of successful authentication, or pollute logs to evade detection systems. Organizations relying on log aggregation and SIEM tools may be misled by injected records, delaying incident detection and complicating forensic analysis. This is particularly concerning for applications that use logs as audit trails for regulated workloads.
Affected systems
Morgan 1.2.0 through 1.10.1 are vulnerable. The scope is limited to applications using morgan as their HTTP logging middleware and exposing its logging to downstream consumers. Node.js web applications using Express, Koa, or other frameworks that integrate morgan are at risk if they rely on :remote-user logging. Applications using custom log formats that do not reference :remote-user are unaffected.
Exploitability
The vulnerability requires network access but no authentication or user interaction. An attacker can exploit it by sending a simple HTTP request with a crafted Authorization header containing embedded control characters—no specialized tools or techniques are required. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects the low barrier to entry. However, practical impact depends on how strictly downstream log consumers parse log records; some log aggregation systems may normalize or filter control characters, reducing the exploit's effectiveness in those contexts.
Remediation
Upgrade morgan to version 1.11.0 or later, which neutralizes control characters in the :remote-user token. For organizations unable to upgrade immediately, a temporary workaround is to modify the log format string to exclude :remote-user (e.g., use a custom format without that token). Additionally, implement log parsing and validation controls in downstream SIEM or log aggregation systems to reject or sanitize log records with unexpected line breaks.
Patch guidance
Apply morgan 1.11.0 as soon as feasible. Verify the upgrade via npm (npm install [email protected] or update package.json and reinstall dependencies). Test the patched version in a staging environment to ensure logging continues to function correctly and that no custom integrations depend on the prior (unfiltered) behavior of :remote-user. No breaking changes are expected; sanitization of control characters is a security hardening measure.
Detection guidance
Monitor application logs for Authorization headers containing %0D (CR) or %0A (LF) sequences in HTTP request logs or WAF/proxy logs. Look for log entries where :remote-user field spans multiple lines or contains unexpected line breaks. If log parsing fails or records are malformed in ways consistent with CRLF injection, investigate recent traffic patterns. Enable verbose logging on morgan or use HTTP traffic inspection to identify requests with crafted usernames. Endpoint detection and response (EDR) tools or log analysis rules can flag requests with embedded control characters in Basic auth headers.
Why prioritize this
Although CVSS 5.3 (MEDIUM) may seem low, log integrity is foundational to security operations. This vulnerability is rated MEDIUM because it enables integrity violations (log forgery) with no confidentiality or availability impact and requires the attacker to influence log contents that are then consumed downstream. However, organizations with strong log-based incident detection, compliance auditing, or forensic reliance should prioritize this patch to prevent tampering with audit trails. The lack of KEV designation suggests limited active exploitation, reducing urgency but not justifying delay.
Risk score, explained
The CVSS 3.1 score of 5.3 (MEDIUM) is assigned because the attack has network accessibility and low complexity (AV:N/AC:L) but impacts only integrity (I:L) with no confidentiality or availability loss (C:N/A:N). No privileges or user interaction are required (PR:N/UI:N). The scope is unchanged (S:U). Log injection is recognized as a legitimate integrity threat, warranting a score in the MEDIUM range rather than LOW. Organizations with heightened audit and compliance requirements may treat this as higher priority despite the base score.
Frequently asked questions
Can this vulnerability allow an attacker to execute code or steal user credentials?
No. This vulnerability is limited to log injection and forgery. It does not enable remote code execution, credential theft, or unauthorized access. However, it can be used to obscure attack traces in logs or create false records that mislead security teams.
Do I need to patch if I don't use Basic authentication or don't log :remote-user?
If your application does not use HTTP Basic authentication or your morgan log format does not include the :remote-user token, you are not vulnerable. Check your morgan configuration to confirm. A workaround for applications using Basic auth is to switch to a custom log format that omits :remote-user.
How does log injection differ from other log-based attacks?
Log injection typically allows attackers to forge entries or hide real entries by exploiting lack of input sanitization. In this case, the attacker exploits carriage-return and line-feed characters to split a single log record into multiple records, making logs appear to show activity that didn't occur. This undermines log integrity and can fool SIEM rules or compliance audits.
Will patching to morgan 1.11.0 break my existing logging or custom integrations?
The patch sanitizes control characters in :remote-user output, so legitimate log parsing should not be affected. Custom log formats that already filter or sanitize input will continue to work. However, test the upgrade in a non-production environment to ensure no unexpected side effects with your specific logging pipeline or SIEM rules.
This analysis is provided for informational purposes and reflects the vulnerability description and CVSS assessment from the ground-truth source data. Customers should verify patch availability, compatibility, and performance in their own environments before deployment. SEC.co does not endorse or recommend specific vendor products; assessment of risk and remediation priority should account for organizational context, log handling infrastructure, and compliance requirements. Organizations should conduct their own testing and consult vendor advisories for the most current patch status and guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45679MEDIUMOpenTelemetry eBPF Instrumentation Data Exfiltration via Redis Error Messages
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk