THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-4vj7-5mj6-jm8m (medium) — morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

[GHSA] GHSA-4vj7-5mj6-jm8m (medium) — morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

medgithub_advisoriesPublished 2026-07-10

GHSA-4vj7-5mj6-jm8m Severity: medium CVE: CVE-2026-5078

morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

### Impact

Morgan's `:remote-user` token extracts the Basic auth username from the `Authorization` header and writes it to the log stream without neutralizing control characters. An attacker can send a crafted `Authorization: Basic` header containing CR/L

Indicators of compromise

Original source: https://github.com/advisories/GHSA-4vj7-5mj6-jm8m