CVE-2026-42855: arduino-esp32 Digest Auth Bypass Threatens IoT Security

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-287
CVE-2026-42855: arduino-esp32 Digest Auth Bypass Threatens IoT Security

The National Vulnerability Database has disclosed CVE-2026-42855, a high-severity vulnerability (CVSS 7.5) in arduino-esp32, the Arduino core for ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 microcontrollers. Prior to version 3.3.8, the WebServer Digest authentication implementation fails to verify that the URI field in the client’s Authorization header matches the actual requested URI. This is a critical logic flaw.

This flaw allows an attacker possessing any valid digest response for one URI (URI-A) to authenticate requests to a completely different protected URI (URI-B). Essentially, per-resource access controls are rendered useless. An attacker doesn’t need to crack a new credential for each resource; a single valid digest response grants broad access. This is a bypass, not a simple credential compromise.

Defenders using arduino-esp32 in IoT devices, industrial control systems, or other embedded applications must prioritize patching. The National Vulnerability Database confirms this issue is resolved in version 3.3.8. Ignoring this could lead to unauthorized access to critical device functions or data, making the ‘protected’ status of resources an illusion.

What This Means For You

  • If your organization deploys devices utilizing arduino-esp32, you need to verify the version immediately. This vulnerability allows an attacker to bypass per-resource access controls using a single valid digest response. This means sensitive device configurations or data could be exposed without needing to compromise specific credentials for those resources. Patch to version 3.3.8 or later without delay.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-42855: Arduino ESP32 Digest Auth Bypass via Mismatched URI

Sigma YAML — free preview 
title: CVE-2026-42855: Arduino ESP32 Digest Auth Bypass via Mismatched URI
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
  This rule detects a potential exploitation of CVE-2026-42855. The vulnerability allows an attacker to bypass Digest authentication by providing a valid digest response for one URI (e.g., '/login') but requesting a different protected URI (e.g., '/admin' or '/config'). This detection looks for a successful POST request to a protected resource ('/admin', '/config') that has an empty referer and a URI containing '/login', suggesting the authentication token was generated for a different path than the one being accessed.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42855/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/admin'
          - '/config'
      cs-method|exact:
          - 'POST'
      sc-status|exact:
          - '200'
  selection_auth_mismatch:
      referer|exact:
          - ''
      uri|contains:
          - '/login'
  condition: selection AND selection_auth_mismatch
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42855 Auth Bypass arduino-esp32 WebServer Digest authentication bypass
CVE-2026-42855 Auth Bypass arduino-esp32 versions prior to 3.3.8
CVE-2026-42855 Auth Bypass Affected microcontrollers: ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, ESP32-H2

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108

CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

vulnerabilityCVEhigh-severitycwe-749
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 2 IOCs /⚙ 3 Sigma

MonsterInsights WordPress Plugin Exposes Google OAuth Tokens

CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma

ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion

CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...

vulnerabilityCVEhigh-severitycwe-352cwe-650
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 3 Sigma