CVE-2026-5078
Impact
Morgan's :remote-user token extracts the Basic auth username from the Authorization header and writes it to the log stream without neutralizing control characters. An attacker can send a crafted Authorization: Basic header containing CR/LF characters to inject forged log lines, corrupting the one-request-per-line structure of access logs.
The built-in combined, common, default, and short formats are affected, as well as any custom format that includes :remote-user.
Patches
Users should upgrade to version 1.11.0.
Workarounds
Use a custom format string that does not include :remote-user.
⚡ Watch CVE-2026-5078
Get an email if CVE-2026-5078 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.25% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 16% of all EPSS-scored CVEs.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-5078)