CVE-2026-42552: Flight vulnerable to sensitive information disclosure via default error handler

May 6, 2026

The default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute filesystem paths) directly into the HTTP 500 response, with no debug gating. Production deployments leak internal paths, any secret interpolated into an exception message, and full module structure — giving attackers primitives for chaining other weaknesses (LFI, path traversal).

References

github.com/advisories/GHSA-qrch-52m5-vv85
github.com/flightphp/core
github.com/flightphp/core/commit/b8dd23aaa828cb289fa3c84e75b2a3717cab50b0
github.com/flightphp/core/releases/tag/v3.18.1
github.com/flightphp/core/security/advisories/GHSA-qrch-52m5-vv85
nvd.nist.gov/vuln/detail/CVE-2026-42552

Code Behaviors & Features

Detect and mitigate CVE-2026-42552 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →