CVE-2025-66286: WebKitGTK/WPE WebKit API Signal Bypass; IP/DNS/HTTP Exposed
CVE-2025-66286 Published on April 23, 2026

Webkitgtk: authorization bypass through webpage::send-request signal handler
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.

NVD

Vulnerability Analysis

CVE-2025-66286 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public. 121 days later.

Weakness Type

What is an Insecure Direct Object Reference / IDOR Vulnerability?

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVE-2025-66286 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.


Products Associated with CVE-2025-66286

Want to know whenever a new CVE is published for Red Hat Enterprise Linux (RHEL)? stack.watch will email you.

Red Hat Enterprise Linux (RHEL)
 

Affected Versions

Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: