CVE-2026-44217: sse-channel: SSE Injection via unsanitized event fields

May 5, 2026

Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.

Event Spoofing: Attacker can inject arbitrary SSE events into the stream
Client-side Manipulation: Injected events can trigger unintended behavior in frontend JavaScript EventSource listeners
Data Integrity: Consumers of the SSE stream cannot distinguish injected events from legitimate ones

References

github.com/advisories/GHSA-84hm-wfh8-c5pg
github.com/rexxars/sse-channel
github.com/rexxars/sse-channel/issues/42
github.com/rexxars/sse-channel/security/advisories/GHSA-84hm-wfh8-c5pg
nvd.nist.gov/vuln/detail/CVE-2026-44217

Code Behaviors & Features

Detect and mitigate CVE-2026-44217 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →