Search criteria
6 vulnerabilities found for https://github.com/cloudflare/pingora by Cloudflare
CVE-2026-2836 (GCVE-0-2026-2836)
Vulnerability from nvd – Published: 2026-03-04 23:44 – Updated: 2026-03-04 23:44
VLAI?
Title
Cache poisoning via insecure-by-default cache key
Summary
A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header (authority). Operators relying on the default are vulnerable to cache poisoning, and cross-origin responses may be improperly served to users.
Impact
This vulnerability affects users of Pingora's alpha proxy caching feature who relied on the default CacheKey implementation. An attacker could exploit this for:
* Cross-tenant data leakage: In multi-tenant deployments, poison the cache so that users from one tenant receive cached responses from another tenant
* Cache poisoning attacks: Serve malicious content to legitimate users by poisoning shared cache entries
Cloudflare's CDN infrastructure was not affected by this vulnerability, as Cloudflare's default cache key implementation uses multiple factors to prevent cache key poisoning and never made use of the previously provided default.
Mitigation:
We strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher, which removes the insecure default cache key implementation. Users must now explicitly implement their own callback that includes appropriate factors such as Host header, origin server HTTP scheme, and other attributes their cache should vary on.
Pingora users on previous versions may also remove any of their default CacheKey usage and implement their own that should at minimum include the host header / authority and upstream peer’s HTTP scheme.
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | https://github.com/cloudflare/pingora |
Affected:
0 , < 0.8.0
(semver)
|
Credits
Rajat Raghav (xclow3n)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "https://github.com/cloudflare/pingora",
"repo": "https://github.com/cloudflare/pingora",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "0.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Rajat Raghav (xclow3n)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eA cache poisoning vulnerability has been found in the Pingora HTTP proxy framework\u2019s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header (authority). Operators relying on the default are vulnerable to cache poisoning, and cross-origin responses may be improperly served to users.\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cbr\u003e\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eImpact\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis vulnerability affects users of Pingora\u0027s alpha proxy caching feature who relied on the default \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eCacheKey\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e implementation. An attacker could exploit this for:\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCross-tenant data leakage: In multi-tenant deployments, poison the cache so that users from one tenant receive cached responses from another tenant\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCache poisoning attacks: Serve malicious content to legitimate users by poisoning shared cache entries\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as Cloudflare\u0027s default cache key implementation uses multiple factors to prevent cache key poisoning and never made use of the previously provided default.\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cbr\u003e\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eMitigation:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003eWe strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher, which removes the insecure default cache key implementation. Users must now explicitly implement their own callback that includes appropriate factors such as Host header, origin server HTTP scheme, and other attributes their cache should vary on.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003ePingora users on previous versions may also remove any of their default \u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003eCacheKey\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003e usage and implement their own that should at minimum include the host header / authority and upstream peer\u2019s HTTP scheme.\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework\u2019s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header (authority). Operators relying on the default are vulnerable to cache poisoning, and cross-origin responses may be improperly served to users.\n\n\nImpact\n\nThis vulnerability affects users of Pingora\u0027s alpha proxy caching feature who relied on the default CacheKey implementation. An attacker could exploit this for:\n\n * Cross-tenant data leakage: In multi-tenant deployments, poison the cache so that users from one tenant receive cached responses from another tenant\n\n\n * Cache poisoning attacks: Serve malicious content to legitimate users by poisoning shared cache entries\n\n\n\n\nCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as Cloudflare\u0027s default cache key implementation uses multiple factors to prevent cache key poisoning and never made use of the previously provided default.\n\n\nMitigation:\n\nWe strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher, which removes the insecure default cache key implementation. Users must now explicitly implement their own callback that includes appropriate factors such as Host header, origin server HTTP scheme, and other attributes their cache should vary on.\n\n\nPingora users on previous versions may also remove any of their default CacheKey usage and implement their own that should at minimum include the host header / authority and upstream peer\u2019s HTTP scheme."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T23:44:56.472Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/pingora"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher\u003cbr\u003e"
}
],
"value": "We strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cache poisoning via insecure-by-default cache key",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003ePingora users on previous versions may also remove any of their default \u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003eCacheKey\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003e usage and implement their own that should at minimum include the host header / authority and upstream peer\u2019s HTTP scheme.\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e"
}
],
"value": "Pingora users on previous versions may also remove any of their default CacheKey usage and implement their own that should at minimum include the host header / authority and upstream peer\u2019s HTTP scheme."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2026-2836",
"datePublished": "2026-03-04T23:44:56.472Z",
"dateReserved": "2026-02-19T21:33:42.425Z",
"dateUpdated": "2026-03-04T23:44:56.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2835 (GCVE-0-2026-2835)
Vulnerability from nvd – Published: 2026-03-04 23:32 – Updated: 2026-03-04 23:32
VLAI?
Title
HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing
Summary
An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora’s request framing from backend servers’.
Impact
This vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to:
* Bypass proxy-level ACL controls and WAF logic
* Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests
* Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP
Cloudflare's CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests.
Mitigation:
Pingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited.
As a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact “chunked” string match.
Severity ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | https://github.com/cloudflare/pingora |
Affected:
0 , < 0.8.0
(semver)
|
Credits
Rajat Raghav (xclow3n)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "https://github.com/cloudflare/pingora",
"repo": "https://github.com/cloudflare/pingora",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "0.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Rajat Raghav (xclow3n)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eAn HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora\u0027s parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora\u2019s request framing from backend servers\u2019.\u003c/span\u003e\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eImpact\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to:\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eBypass proxy-level ACL controls and WAF logic\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePoison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePerform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eMitigation:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eAs a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact \u201cchunked\u201d string match.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora\u0027s parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora\u2019s request framing from backend servers\u2019.\n\nImpact\n\nThis vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to:\n\n * Bypass proxy-level ACL controls and WAF logic\n\n\n\n\n * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\n\n\n\n\n * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\n\n\n\n\nCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests.\n\n\nMitigation:\n\nPingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited.\n\nAs a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact \u201cchunked\u201d string match."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T23:32:41.186Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/pingora"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pingora users should upgrade to Pingora v0.8.0 or higher\u003cbr\u003e"
}
],
"value": "Pingora users should upgrade to Pingora v0.8.0 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eAs a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact \u201cchunked\u201d string match.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "As a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact \u201cchunked\u201d string match."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2026-2835",
"datePublished": "2026-03-04T23:32:41.186Z",
"dateReserved": "2026-02-19T21:24:24.726Z",
"dateUpdated": "2026-03-04T23:32:41.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2833 (GCVE-0-2026-2833)
Vulnerability from nvd – Published: 2026-03-04 23:20 – Updated: 2026-03-04 23:20
VLAI?
Title
HTTP Request Smuggling via Premature Upgrade
Summary
An HTTP request smuggling vulnerability (CWE-444) was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.
Impact
This vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:
* Bypass proxy-level ACL controls and WAF logic
* Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests
* Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP
Cloudflare's CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.
Mitigation:
Pingora users should upgrade to Pingora v0.8.0 or higher
As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.
Severity ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | https://github.com/cloudflare/pingora |
Affected:
0 , < 0.8.0
(semver)
|
Credits
Rajat Raghav (xclow3n)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "https://github.com/cloudflare/pingora",
"repo": "https://github.com/cloudflare/pingora",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "0.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Rajat Raghav (xclow3n)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eAn HTTP request smuggling vulnerability (CWE-444) was found in Pingora\u0027s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eImpact\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eBypass proxy-level ACL controls and WAF logic\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePoison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePerform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eMitigation:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePingora users should upgrade to Pingora v0.8.0 or higher\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cb\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "An HTTP request smuggling vulnerability (CWE-444) was found in Pingora\u0027s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.\n\nImpact\n\nThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:\n\n * Bypass proxy-level ACL controls and WAF logic\n\n\n\n\n * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\n\n\n\n\n * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\n\n\n\n\nCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\n\n\nMitigation:\n\nPingora users should upgrade to Pingora v0.8.0 or higher\n\n\nAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T23:20:51.985Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/pingora"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pingora users should upgrade to Pingora v0.8.0 or higher\u003cbr\u003e"
}
],
"value": "Pingora users should upgrade to Pingora v0.8.0 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTTP Request Smuggling via Premature Upgrade",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\u003cbr\u003e"
}
],
"value": "As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2026-2833",
"datePublished": "2026-03-04T23:20:51.985Z",
"dateReserved": "2026-02-19T21:02:12.382Z",
"dateUpdated": "2026-03-04T23:20:51.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2836 (GCVE-0-2026-2836)
Vulnerability from cvelistv5 – Published: 2026-03-04 23:44 – Updated: 2026-03-04 23:44
VLAI?
Title
Cache poisoning via insecure-by-default cache key
Summary
A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header (authority). Operators relying on the default are vulnerable to cache poisoning, and cross-origin responses may be improperly served to users.
Impact
This vulnerability affects users of Pingora's alpha proxy caching feature who relied on the default CacheKey implementation. An attacker could exploit this for:
* Cross-tenant data leakage: In multi-tenant deployments, poison the cache so that users from one tenant receive cached responses from another tenant
* Cache poisoning attacks: Serve malicious content to legitimate users by poisoning shared cache entries
Cloudflare's CDN infrastructure was not affected by this vulnerability, as Cloudflare's default cache key implementation uses multiple factors to prevent cache key poisoning and never made use of the previously provided default.
Mitigation:
We strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher, which removes the insecure default cache key implementation. Users must now explicitly implement their own callback that includes appropriate factors such as Host header, origin server HTTP scheme, and other attributes their cache should vary on.
Pingora users on previous versions may also remove any of their default CacheKey usage and implement their own that should at minimum include the host header / authority and upstream peer’s HTTP scheme.
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | https://github.com/cloudflare/pingora |
Affected:
0 , < 0.8.0
(semver)
|
Credits
Rajat Raghav (xclow3n)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "https://github.com/cloudflare/pingora",
"repo": "https://github.com/cloudflare/pingora",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "0.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Rajat Raghav (xclow3n)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eA cache poisoning vulnerability has been found in the Pingora HTTP proxy framework\u2019s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header (authority). Operators relying on the default are vulnerable to cache poisoning, and cross-origin responses may be improperly served to users.\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cbr\u003e\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eImpact\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis vulnerability affects users of Pingora\u0027s alpha proxy caching feature who relied on the default \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eCacheKey\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e implementation. An attacker could exploit this for:\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCross-tenant data leakage: In multi-tenant deployments, poison the cache so that users from one tenant receive cached responses from another tenant\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCache poisoning attacks: Serve malicious content to legitimate users by poisoning shared cache entries\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as Cloudflare\u0027s default cache key implementation uses multiple factors to prevent cache key poisoning and never made use of the previously provided default.\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cbr\u003e\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eMitigation:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003eWe strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher, which removes the insecure default cache key implementation. Users must now explicitly implement their own callback that includes appropriate factors such as Host header, origin server HTTP scheme, and other attributes their cache should vary on.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003ePingora users on previous versions may also remove any of their default \u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003eCacheKey\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003e usage and implement their own that should at minimum include the host header / authority and upstream peer\u2019s HTTP scheme.\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework\u2019s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header (authority). Operators relying on the default are vulnerable to cache poisoning, and cross-origin responses may be improperly served to users.\n\n\nImpact\n\nThis vulnerability affects users of Pingora\u0027s alpha proxy caching feature who relied on the default CacheKey implementation. An attacker could exploit this for:\n\n * Cross-tenant data leakage: In multi-tenant deployments, poison the cache so that users from one tenant receive cached responses from another tenant\n\n\n * Cache poisoning attacks: Serve malicious content to legitimate users by poisoning shared cache entries\n\n\n\n\nCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as Cloudflare\u0027s default cache key implementation uses multiple factors to prevent cache key poisoning and never made use of the previously provided default.\n\n\nMitigation:\n\nWe strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher, which removes the insecure default cache key implementation. Users must now explicitly implement their own callback that includes appropriate factors such as Host header, origin server HTTP scheme, and other attributes their cache should vary on.\n\n\nPingora users on previous versions may also remove any of their default CacheKey usage and implement their own that should at minimum include the host header / authority and upstream peer\u2019s HTTP scheme."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T23:44:56.472Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/pingora"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher\u003cbr\u003e"
}
],
"value": "We strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cache poisoning via insecure-by-default cache key",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003ePingora users on previous versions may also remove any of their default \u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003eCacheKey\u003c/span\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003e usage and implement their own that should at minimum include the host header / authority and upstream peer\u2019s HTTP scheme.\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e"
}
],
"value": "Pingora users on previous versions may also remove any of their default CacheKey usage and implement their own that should at minimum include the host header / authority and upstream peer\u2019s HTTP scheme."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2026-2836",
"datePublished": "2026-03-04T23:44:56.472Z",
"dateReserved": "2026-02-19T21:33:42.425Z",
"dateUpdated": "2026-03-04T23:44:56.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2835 (GCVE-0-2026-2835)
Vulnerability from cvelistv5 – Published: 2026-03-04 23:32 – Updated: 2026-03-04 23:32
VLAI?
Title
HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing
Summary
An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora’s request framing from backend servers’.
Impact
This vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to:
* Bypass proxy-level ACL controls and WAF logic
* Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests
* Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP
Cloudflare's CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests.
Mitigation:
Pingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited.
As a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact “chunked” string match.
Severity ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | https://github.com/cloudflare/pingora |
Affected:
0 , < 0.8.0
(semver)
|
Credits
Rajat Raghav (xclow3n)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "https://github.com/cloudflare/pingora",
"repo": "https://github.com/cloudflare/pingora",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "0.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Rajat Raghav (xclow3n)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eAn HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora\u0027s parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora\u2019s request framing from backend servers\u2019.\u003c/span\u003e\u003cb\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/b\u003e\u003cbr\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eImpact\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to:\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eBypass proxy-level ACL controls and WAF logic\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePoison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePerform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eMitigation:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eAs a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact \u201cchunked\u201d string match.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora\u0027s parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora\u2019s request framing from backend servers\u2019.\n\nImpact\n\nThis vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to:\n\n * Bypass proxy-level ACL controls and WAF logic\n\n\n\n\n * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\n\n\n\n\n * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\n\n\n\n\nCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests.\n\n\nMitigation:\n\nPingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited.\n\nAs a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact \u201cchunked\u201d string match."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T23:32:41.186Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/pingora"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pingora users should upgrade to Pingora v0.8.0 or higher\u003cbr\u003e"
}
],
"value": "Pingora users should upgrade to Pingora v0.8.0 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eAs a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact \u201cchunked\u201d string match.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "As a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact \u201cchunked\u201d string match."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2026-2835",
"datePublished": "2026-03-04T23:32:41.186Z",
"dateReserved": "2026-02-19T21:24:24.726Z",
"dateUpdated": "2026-03-04T23:32:41.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2833 (GCVE-0-2026-2833)
Vulnerability from cvelistv5 – Published: 2026-03-04 23:20 – Updated: 2026-03-04 23:20
VLAI?
Title
HTTP Request Smuggling via Premature Upgrade
Summary
An HTTP request smuggling vulnerability (CWE-444) was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.
Impact
This vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:
* Bypass proxy-level ACL controls and WAF logic
* Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests
* Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP
Cloudflare's CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.
Mitigation:
Pingora users should upgrade to Pingora v0.8.0 or higher
As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.
Severity ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | https://github.com/cloudflare/pingora |
Affected:
0 , < 0.8.0
(semver)
|
Credits
Rajat Raghav (xclow3n)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "https://github.com/cloudflare/pingora",
"repo": "https://github.com/cloudflare/pingora",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "0.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Rajat Raghav (xclow3n)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eAn HTTP request smuggling vulnerability (CWE-444) was found in Pingora\u0027s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eImpact\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eBypass proxy-level ACL controls and WAF logic\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePoison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePerform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eMitigation:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePingora users should upgrade to Pingora v0.8.0 or higher\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cb\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "An HTTP request smuggling vulnerability (CWE-444) was found in Pingora\u0027s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.\n\nImpact\n\nThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:\n\n * Bypass proxy-level ACL controls and WAF logic\n\n\n\n\n * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\n\n\n\n\n * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\n\n\n\n\nCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\n\n\nMitigation:\n\nPingora users should upgrade to Pingora v0.8.0 or higher\n\n\nAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T23:20:51.985Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/pingora"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Pingora users should upgrade to Pingora v0.8.0 or higher\u003cbr\u003e"
}
],
"value": "Pingora users should upgrade to Pingora v0.8.0 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTTP Request Smuggling via Premature Upgrade",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\u003cbr\u003e"
}
],
"value": "As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2026-2833",
"datePublished": "2026-03-04T23:20:51.985Z",
"dateReserved": "2026-02-19T21:02:12.382Z",
"dateUpdated": "2026-03-04T23:20:51.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}