OSSA-2026-024: Swift proxy-server SSRF via header injection

Date:

June 23, 2026

CVE:

CVE-2026-50221

Affects

• Swift: >=2.0.0 <2.35.3, >=2.36.0 <2.36.2, >=2.37.0 <2.37.2

Description

Tim Shephard from roiai.ca reported a server-side request forgery (SSRF) vulnerability in Swift’s proxy-server. An authenticated user can cause Swift object servers to issue outbound HTTP requests to attacker-specified hosts, potentially exposing internal infrastructure details. All deployments running Swift 2.0.0 or later are affected.

Patches

• https://review.opendev.org/994452 (2025.1/epoxy)

• https://review.opendev.org/994451 (2025.2/flamingo)

• https://review.opendev.org/994450 (2026.1/gazpacho)

• https://review.opendev.org/994449 (2026.2/hibiscus (development))

Credits

• Tim Shephard from roiai.ca (CVE-2026-50221)

References

• https://launchpad.net/bugs/2150261

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50221