CVE-2026-23941: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in Erlang OTP
CVE-2026-23941 is a high-severity HTTP Request Smuggling vulnerability in the Erlang OTP inets httpd module affecting versions from OTP 17. 0 through OTP 28. 4. 1 and certain patch releases. The issue arises because the server does not reject or normalize duplicate Content-Length headers, using the earliest header for body parsing, while common reverse proxies use the last header, violating RFC 9112. This discrepancy allows front-end and back-end desynchronization, enabling attackers to smuggle HTTP requests and potentially inject malicious payloads into subsequent requests. Exploitation does not require authentication or user interaction but has a high attack complexity and scope limited to systems running vulnerable Erlang OTP versions. No known exploits are currently reported in the wild. Organizations using Erlang OTP for HTTP services, especially behind proxies like nginx, Apache httpd, or Envoy, should prioritize patching or mitigating this issue to prevent request smuggling attacks that could lead to request hijacking, cache poisoning, or bypassing security controls.
AI Analysis
Technical Summary
CVE-2026-23941 is an HTTP Request Smuggling vulnerability classified under CWE-444, found in the Erlang OTP inets httpd module, specifically in the httpd_request:parse_headers/7 function. The vulnerability stems from inconsistent handling of duplicate Content-Length headers in HTTP requests. The vulnerable server implementation uses the earliest Content-Length header to determine the request body length, whereas common reverse proxies such as nginx, Apache httpd, and Envoy honor the last Content-Length header as per RFC 9112 Section 6.3. This discrepancy leads to front-end/back-end desynchronization, where the backend server misinterprets the request boundaries, allowing attacker-controlled bytes to be queued as part of the next HTTP request. This can facilitate HTTP Request Smuggling attacks, enabling attackers to bypass security controls, poison caches, hijack user sessions, or perform other malicious activities by injecting crafted requests. The vulnerability affects Erlang OTP versions from 17.0 up to 28.4.1, including specific patch releases 27.3.4.9 and 26.2.5.18, corresponding to inets module versions 5.10 through 9.6.1 and related patches. The CVSS v4.0 score is 7.0 (high), reflecting network attack vector, high attack complexity, and no required privileges or user interaction. No public exploits have been reported yet, but the vulnerability's nature and affected widespread components make it a significant risk. The issue requires patching or mitigation to ensure HTTP request parsing consistency and compliance with RFC standards.
Potential Impact
The impact of CVE-2026-23941 is significant for organizations running Erlang OTP-based HTTP servers behind reverse proxies. HTTP Request Smuggling can lead to a range of attacks including cache poisoning, cross-user request hijacking, bypassing of security controls such as web application firewalls, and injection of malicious requests that can compromise confidentiality, integrity, and availability of web services. Attackers can exploit this vulnerability to desynchronize the front-end proxy and back-end server, potentially gaining unauthorized access to sensitive data or executing unauthorized actions. Given Erlang OTP's use in telecom, messaging platforms, and distributed systems, exploitation could disrupt critical infrastructure or services. The vulnerability's network-level exploitability and lack of required authentication increase the risk of remote attacks. Although no exploits are currently known in the wild, the widespread use of affected versions and common deployment behind popular proxies heightens the urgency for remediation. Failure to address this vulnerability could result in data breaches, service disruption, and reputational damage.
Mitigation Recommendations
To mitigate CVE-2026-23941, organizations should prioritize upgrading Erlang OTP to versions beyond OTP 28.4.1 or the latest patched releases that address this vulnerability once available. In the absence of immediate patches, administrators should implement strict input validation and normalization of HTTP headers at the proxy or load balancer level to reject requests containing duplicate Content-Length headers. Configuring reverse proxies to enforce consistent header parsing and to normalize or reject ambiguous requests can reduce the risk of desynchronization. Employing Web Application Firewalls (WAFs) with rules designed to detect and block HTTP Request Smuggling attempts can provide additional protection. Monitoring HTTP traffic for anomalies such as unexpected request boundaries or duplicated headers is recommended. Network segmentation and limiting exposure of vulnerable services to untrusted networks can reduce attack surface. Finally, organizations should review their HTTP server and proxy configurations to ensure compliance with RFC 9112 and test their environments for request smuggling vulnerabilities using specialized security tools.
Affected Countries
United States, Germany, France, United Kingdom, China, India, Japan, South Korea, Brazil, Australia
CVE-2026-23941: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in Erlang OTP
Description
CVE-2026-23941 is a high-severity HTTP Request Smuggling vulnerability in the Erlang OTP inets httpd module affecting versions from OTP 17. 0 through OTP 28. 4. 1 and certain patch releases. The issue arises because the server does not reject or normalize duplicate Content-Length headers, using the earliest header for body parsing, while common reverse proxies use the last header, violating RFC 9112. This discrepancy allows front-end and back-end desynchronization, enabling attackers to smuggle HTTP requests and potentially inject malicious payloads into subsequent requests. Exploitation does not require authentication or user interaction but has a high attack complexity and scope limited to systems running vulnerable Erlang OTP versions. No known exploits are currently reported in the wild. Organizations using Erlang OTP for HTTP services, especially behind proxies like nginx, Apache httpd, or Envoy, should prioritize patching or mitigating this issue to prevent request smuggling attacks that could lead to request hijacking, cache poisoning, or bypassing security controls.
AI-Powered Analysis
Technical Analysis
CVE-2026-23941 is an HTTP Request Smuggling vulnerability classified under CWE-444, found in the Erlang OTP inets httpd module, specifically in the httpd_request:parse_headers/7 function. The vulnerability stems from inconsistent handling of duplicate Content-Length headers in HTTP requests. The vulnerable server implementation uses the earliest Content-Length header to determine the request body length, whereas common reverse proxies such as nginx, Apache httpd, and Envoy honor the last Content-Length header as per RFC 9112 Section 6.3. This discrepancy leads to front-end/back-end desynchronization, where the backend server misinterprets the request boundaries, allowing attacker-controlled bytes to be queued as part of the next HTTP request. This can facilitate HTTP Request Smuggling attacks, enabling attackers to bypass security controls, poison caches, hijack user sessions, or perform other malicious activities by injecting crafted requests. The vulnerability affects Erlang OTP versions from 17.0 up to 28.4.1, including specific patch releases 27.3.4.9 and 26.2.5.18, corresponding to inets module versions 5.10 through 9.6.1 and related patches. The CVSS v4.0 score is 7.0 (high), reflecting network attack vector, high attack complexity, and no required privileges or user interaction. No public exploits have been reported yet, but the vulnerability's nature and affected widespread components make it a significant risk. The issue requires patching or mitigation to ensure HTTP request parsing consistency and compliance with RFC standards.
Potential Impact
The impact of CVE-2026-23941 is significant for organizations running Erlang OTP-based HTTP servers behind reverse proxies. HTTP Request Smuggling can lead to a range of attacks including cache poisoning, cross-user request hijacking, bypassing of security controls such as web application firewalls, and injection of malicious requests that can compromise confidentiality, integrity, and availability of web services. Attackers can exploit this vulnerability to desynchronize the front-end proxy and back-end server, potentially gaining unauthorized access to sensitive data or executing unauthorized actions. Given Erlang OTP's use in telecom, messaging platforms, and distributed systems, exploitation could disrupt critical infrastructure or services. The vulnerability's network-level exploitability and lack of required authentication increase the risk of remote attacks. Although no exploits are currently known in the wild, the widespread use of affected versions and common deployment behind popular proxies heightens the urgency for remediation. Failure to address this vulnerability could result in data breaches, service disruption, and reputational damage.
Mitigation Recommendations
To mitigate CVE-2026-23941, organizations should prioritize upgrading Erlang OTP to versions beyond OTP 28.4.1 or the latest patched releases that address this vulnerability once available. In the absence of immediate patches, administrators should implement strict input validation and normalization of HTTP headers at the proxy or load balancer level to reject requests containing duplicate Content-Length headers. Configuring reverse proxies to enforce consistent header parsing and to normalize or reject ambiguous requests can reduce the risk of desynchronization. Employing Web Application Firewalls (WAFs) with rules designed to detect and block HTTP Request Smuggling attempts can provide additional protection. Monitoring HTTP traffic for anomalies such as unexpected request boundaries or duplicated headers is recommended. Network segmentation and limiting exposure of vulnerable services to untrusted networks can reduce attack surface. Finally, organizations should review their HTTP server and proxy configurations to ensure compliance with RFC 9112 and test their environments for request smuggling vulnerabilities using specialized security tools.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-01-19T14:23:14.343Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b3d90e2f860ef943bac721
Added to database: 3/13/2026, 9:29:50 AM
Last enriched: 3/13/2026, 9:44:16 AM
Last updated: 3/13/2026, 1:56:39 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.