CVE-2026-43505: Medium severity Prosody prosody vulnerability
Published May 1, 2026
·Updated
An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when modproxy65 is enabled. Because modproxy65 mishandles access control in the activation scenario, relaying of unauthenticated traffic can occur.
Affected Software
3 affected components
Prosody prosody<0.12.6, >=1.0.0<13.0.5
Prosody prosody<0.12.6
Prosody prosody>=13.0.0<13.0.5
Remediation
Patch Available
Patch Available
Event History
May 1, 2026
CVE Published
via MITRE·02:42 PM
Data Sourced
via MITRE·02:42 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-43505?
CVE-2026-43505 is considered a medium severity vulnerability as it allows relaying of unauthenticated traffic due to access control mishandling.
2
How do I fix CVE-2026-43505?
To fix CVE-2026-43505, update Prosody to version 0.12.6 or 13.0.5 or later.
3
What versions of Prosody are affected by CVE-2026-43505?
CVE-2026-43505 affects Prosody versions prior to 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5.
4
What does mod_proxy65 do that makes CVE-2026-43505 a concern?
Mod_proxy65 mishandles access control, which can lead to unauthorized access and relaying of unauthenticated traffic.
5
Is CVE-2026-43505 related to any specific module in Prosody?
Yes, CVE-2026-43505 is specifically related to the mod_proxy65 module in Prosody.