diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch
new file mode 100644
index 0000000000..311380bfff
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2026-5119.patch
@@ -0,0 +1,37 @@
+From 781b08c1b9093626dda077450c46d07d7220984e Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <carlosgc@gnome.org>
+Date: Thu, 27 Feb 2026 11:05:00 +0000
+Subject: [PATCH] cookies: do not send cookies to a HTTP proxy for a HTTPS request
+
+When tunneling HTTPS through an HTTP proxy, libsoup's cookie jar
+attaches cookies to the initial HTTP CONNECT request sent to the proxy.
+This leaks session cookies (including Secure-flagged cookies) in
+cleartext to the proxy, enabling session hijacking.
+
+The fix skips cookie injection for CONNECT-method messages, which are
+only used for proxy tunnel establishment to HTTPS destinations.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/781b08c1b9093626dda077450c46d07d7220984e]
+CVE: CVE-2026-5119
+Signed-off-by: Ashish Sharma <pahaditechie@gmail.com>
+---
+ libsoup/soup-cookie-jar.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libsoup/soup-cookie-jar.c b/libsoup/soup-cookie-jar.c
+--- a/libsoup/soup-cookie-jar.c
++++ b/libsoup/soup-cookie-jar.c
+@@ -824,6 +824,10 @@
+ 	SoupCookieJar *jar = SOUP_COOKIE_JAR (feature);
+ 	GSList *cookies;
+ 
++	/* Do not send cookies to a HTTP proxy for a HTTPS request */
++	if (msg->method == SOUP_METHOD_CONNECT)
++		return;
++
+ 	cookies = soup_cookie_jar_get_cookie_list_with_same_site_info (jar, soup_message_get_uri (msg),
+ 	                                                               soup_message_get_first_party (msg),
+							               soup_message_get_site_for_cookies (msg),
+								       TRUE,
+-- 
+2.25.1
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index 7e00cd678a..364e8ec391 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -41,6 +41,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-4476.patch \
            file://CVE-2025-2784.patch \
            file://CVE-2025-4945.patch \
+           file://CVE-2026-5119.patch \
 "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"