CVE-2026-32993: Unauthenticated HTTP Header Injection Vulnerability
The National Vulnerability Database has disclosed CVE-2026-32993, a high-severity vulnerability (CVSS 8.3) stemming from improper sanitization of the status query parameter in the /unprotected/nova_error endpoint. This flaw, categorized as CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers), allows an unauthenticated attacker to inject arbitrary HTTP headers into the response.
This isn’t just a theoretical bug. Header injection can be weaponized in various ways. Attackers could manipulate caching mechanisms, bypass security controls, or even facilitate cross-site scripting (XSS) attacks by injecting Content-Type headers or other directives. The ‘unauthenticated’ aspect is critical here – no prior access or credentials are required, significantly lowering the bar for exploitation.
While specific affected products are not detailed by the National Vulnerability Database, any application exposing an /unprotected/nova_error endpoint with similar status parameter handling is at risk. Defenders need to assess their web application infrastructure for this pattern and prioritize immediate patching or mitigation strategies.
What This Means For You
- If your organization operates web applications that expose an `/unprotected/nova_error` endpoint, you need to investigate immediately. This unauthenticated HTTP header injection (CVE-2026-32993) can lead to session hijacking, cache poisoning, or XSS. Audit your applications for similar vulnerable parameter handling and apply patches as soon as they are available.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-32993: Unauthenticated HTTP Header Injection via /unprotected/nova_error
title: CVE-2026-32993: Unauthenticated HTTP Header Injection via /unprotected/nova_error
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-32993 by targeting the '/unprotected/nova_error' endpoint with a 'status' query parameter. This vulnerability allows unauthenticated attackers to inject arbitrary HTTP headers into the response, potentially leading to further compromise.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-32993/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/unprotected/nova_error'
cs-uri-query|contains:
- 'status='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-32993 | HTTP Header Injection | Improper sanitization of `status` query parameter |
| CVE-2026-32993 | HTTP Header Injection | `/unprotected/nova_error` endpoint |
| CVE-2026-32993 | HTTP Header Injection | Unauthenticated attacker |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
OPNsense RCE: Critical Flaw Allows Root Access via DHCP Input
CVE-2026-45158 — OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the...
Hoppscotch CVE-2026-44478: Unauthenticated Infrastructure Secret Leak
CVE-2026-44478 — hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking...
CVE-2026-44471: gitoxide Symlink Vulnerability Exposes Filesystem to Attack
CVE-2026-44471 — gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out...