CVE-2026-44546 (GCVE-0-2026-44546)
Vulnerability from cvelistv5 – Published: 2026-06-03 13:17 – Updated: 2026-06-03 15:46
VLAI
Title
Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing
Summary
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - (Inconsistent Interpretation of HTTP Requests -- "HTTP Request/Response Smuggling")
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/django/daphne/blob/main/CHANGE… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| djangoproject | daphne |
Affected:
4.2.0 , ≤ 4.2.1
(python)
Unaffected: 4.2.2 (python) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44546",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T15:45:59.459546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:46:08.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/daphne/",
"defaultStatus": "unaffected",
"packageName": "daphne",
"product": "daphne",
"repo": "https://github.com/django/daphne/",
"vendor": "djangoproject",
"versions": [
{
"lessThanOrEqual": "4.2.1",
"status": "affected",
"version": "4.2.0",
"versionType": "python"
},
{
"status": "unaffected",
"version": "4.2.2",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Rene Henningsen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Carlton Gibson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003edaphne before 4.2.2 reconstructs a raw HTTP request from Twisted\u0027s parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \u003ccode\u003e\\x0b\u003c/code\u003e, \u003ccode\u003e\\x0c\u003c/code\u003e, \u003ccode\u003e\\x1c\u003c/code\u003e, \u003ccode\u003e\\x1d\u003c/code\u003e, \u003ccode\u003e\\x1e\u003c/code\u003e, or \u003ccode\u003e\\x85\u003c/code\u003e as header line separators, but autobahn decodes header values to \u003ccode\u003estr\u003c/code\u003e and calls \u003ccode\u003esplitlines()\u003c/code\u003e. An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.\u003c/p\u003e"
}
],
"value": "daphne before 4.2.2 reconstructs a raw HTTP request from Twisted\u0027s parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \\x0b, \\x0c, \\x1c, \\x1d, \\x1e, or \\x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33: HTTP Request Smuggling"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 (Inconsistent Interpretation of HTTP Requests -- \"HTTP Request/Response Smuggling\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T13:17:55.283Z",
"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"shortName": "DSF"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/django/daphne/blob/main/CHANGELOG.txt"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-09T03:00:00.000Z",
"value": "Initial report received."
},
{
"lang": "en",
"time": "2026-05-06T03:00:00.000Z",
"value": "Vulnerability confirmed."
}
],
"title": "Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"assignerShortName": "DSF",
"cveId": "CVE-2026-44546",
"datePublished": "2026-06-03T13:17:55.283Z",
"dateReserved": "2026-05-06T20:29:54.084Z",
"dateUpdated": "2026-06-03T15:46:08.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-44546\",\"sourceIdentifier\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"published\":\"2026-06-03T14:16:43.720\",\"lastModified\":\"2026-06-03T14:16:43.720\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"daphne before 4.2.2 reconstructs a raw HTTP request from Twisted\u0027s parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \\\\x0b, \\\\x0c, \\\\x1c, \\\\x1d, \\\\x1e, or \\\\x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"references\":[{\"url\":\"https://github.com/django/daphne/blob/main/CHANGELOG.txt\",\"source\":\"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44546\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-03T15:45:59.459546Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-03T15:46:04.583Z\"}}], \"cna\": {\"title\": \"Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Rene Henningsen\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Carlton Gibson\"}], \"impacts\": [{\"capecId\": \"CAPEC-33\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-33: HTTP Request Smuggling\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/django/daphne/\", \"vendor\": \"djangoproject\", \"product\": \"daphne\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.2.0\", \"versionType\": \"python\", \"lessThanOrEqual\": \"4.2.1\"}, {\"status\": \"unaffected\", \"version\": \"4.2.2\", \"versionType\": \"python\"}], \"packageName\": \"daphne\", \"collectionURL\": \"https://pypi.org/project/daphne/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-04-09T03:00:00.000Z\", \"value\": \"Initial report received.\"}, {\"lang\": \"en\", \"time\": \"2026-05-06T03:00:00.000Z\", \"value\": \"Vulnerability confirmed.\"}], \"references\": [{\"url\": \"https://github.com/django/daphne/blob/main/CHANGELOG.txt\", \"tags\": [\"release-notes\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"daphne before 4.2.2 reconstructs a raw HTTP request from Twisted\u0027s parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \\\\x0b, \\\\x0c, \\\\x1c, \\\\x1d, \\\\x1e, or \\\\x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003edaphne before 4.2.2 reconstructs a raw HTTP request from Twisted\u0027s parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \u003ccode\u003e\\\\x0b\u003c/code\u003e, \u003ccode\u003e\\\\x0c\u003c/code\u003e, \u003ccode\u003e\\\\x1c\u003c/code\u003e, \u003ccode\u003e\\\\x1d\u003c/code\u003e, \u003ccode\u003e\\\\x1e\u003c/code\u003e, or \u003ccode\u003e\\\\x85\u003c/code\u003e as header line separators, but autobahn decodes header values to \u003ccode\u003estr\u003c/code\u003e and calls \u003ccode\u003esplitlines()\u003c/code\u003e. An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"CWE-444 (Inconsistent Interpretation of HTTP Requests -- \\\"HTTP Request/Response Smuggling\\\")\"}]}], \"providerMetadata\": {\"orgId\": \"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\", \"shortName\": \"DSF\", \"dateUpdated\": \"2026-06-03T13:17:55.283Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-44546\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-03T15:46:08.745Z\", \"dateReserved\": \"2026-05-06T20:29:54.084Z\", \"assignerOrgId\": \"6a34fbeb-21d4-45e7-8e0a-62b95bc12c92\", \"datePublished\": \"2026-06-03T13:17:55.283Z\", \"assignerShortName\": \"DSF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…