CVE-2026-6874: copilot-api has Reliance on Reverse DNS Resolution for a Security-Critical Action

April 23, 2026 (updated April 30, 2026)

A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header Handler. Executing a manipulation of the argument Host can lead to reliance on reverse dns resolution. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/August829/CVEP/issues/32
github.com/advisories/GHSA-3vr4-cvmg-7fx4
github.com/ericc-ch/copilot-api
nvd.nist.gov/vuln/detail/CVE-2026-6874
vuldb.com/submit/795212
vuldb.com/vuln/359039
vuldb.com/vuln/359039/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-6874 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →