CVE-2026-23941: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in Erlang OTP
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
AI Analysis
Technical Summary
The vulnerability in Erlang OTP's inets httpd module (httpd_request:parse_headers/7) involves inconsistent handling of duplicate Content-Length headers in HTTP requests. The server uses the first Content-Length header to parse the body, whereas common reverse proxies (nginx, Apache httpd, Envoy) use the last Content-Length header. This mismatch leads to HTTP Request Smuggling, violating RFC 9112 Section 6.3, and can cause desynchronization between front-end and back-end servers. Affected versions include OTP 17.0 through OTP 28.4.1 and related inets versions. The CVSS 4.0 score is 7.0, indicating high severity. No vendor advisory or patch information is currently available.
Potential Impact
This vulnerability can lead to front-end/back-end desynchronization in HTTP request processing, allowing an attacker to smuggle HTTP requests. This may result in attacker-controlled bytes being interpreted as part of subsequent requests, potentially enabling request hijacking or bypassing security controls. The impact is limited to affected Erlang OTP versions running the vulnerable inets httpd module. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor Erlang's official channels for updates. In the meantime, consider deploying reverse proxies or web application firewalls that can detect and mitigate HTTP request smuggling attempts as a temporary measure.
CVE-2026-23941: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in Erlang OTP
Description
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
CVSS v4.0
Score 7.0high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Erlang OTP's inets httpd module (httpd_request:parse_headers/7) involves inconsistent handling of duplicate Content-Length headers in HTTP requests. The server uses the first Content-Length header to parse the body, whereas common reverse proxies (nginx, Apache httpd, Envoy) use the last Content-Length header. This mismatch leads to HTTP Request Smuggling, violating RFC 9112 Section 6.3, and can cause desynchronization between front-end and back-end servers. Affected versions include OTP 17.0 through OTP 28.4.1 and related inets versions. The CVSS 4.0 score is 7.0, indicating high severity. No vendor advisory or patch information is currently available.
Potential Impact
This vulnerability can lead to front-end/back-end desynchronization in HTTP request processing, allowing an attacker to smuggle HTTP requests. This may result in attacker-controlled bytes being interpreted as part of subsequent requests, potentially enabling request hijacking or bypassing security controls. The impact is limited to affected Erlang OTP versions running the vulnerable inets httpd module. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor Erlang's official channels for updates. In the meantime, consider deploying reverse proxies or web application firewalls that can detect and mitigate HTTP request smuggling attempts as a temporary measure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-01-19T14:23:14.343Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b3d90e2f860ef943bac721
Added to database: 3/13/2026, 9:29:50 AM
Last enriched: 5/27/2026, 8:03:50 PM
Last updated: 6/11/2026, 7:20:35 PM
Views: 365
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.