CVE-2026-2835 is an HTTP Request Smuggling vulnerability classified under CWE-444, discovered in Cloudflare's Pingora HTTP parser prior to version 0.8.0. The flaw stems from Pingora's incorrect handling of HTTP/1.0 request bodies, which it improperly allows to be close-delimited, and its flawed processing of multiple Transfer-Encoding headers. This leads to a desynchronization between Pingora’s interpretation of HTTP request framing and that of backend servers. Specifically, attackers can craft HTTP/1.0 requests with ambiguous or conflicting length indicators that cause Pingora to parse requests differently than the backend, enabling the injection of smuggled requests. This discrepancy can be exploited to bypass proxy-level access control lists (ACLs) and Web Application Firewall (WAF) protections, poison caches and upstream connections so that legitimate users receive malicious responses, and perform cross-user attacks by hijacking sessions or injecting requests that appear to originate from the trusted proxy IP address. Cloudflare’s own CDN infrastructure is not vulnerable because it strictly enforces HTTP/1.1 requests, rejects ambiguous framing such as invalid Content-Length headers, and only forwards a single Transfer-Encoding: chunked header for chunked requests. The vulnerability is rated critical with a CVSS 4.0 score of 9.3, reflecting its network attack vector, low complexity, no required privileges or user interaction, and high impact on integrity and availability. Mitigation involves upgrading to Pingora version 0.8.0 or later, which corrects the parsing logic to fully comply with RFC 9112, ensuring HTTP request bodies are never close-delimited and that Transfer-Encoding headers are strictly validated. As a temporary workaround, users can implement request filtering to reject non-HTTP/1.1 requests, requests with invalid Content-Length headers, multiple Transfer-Encoding headers, or Transfer-Encoding headers that do not exactly match “chunked”. This reduces the risk by preventing ambiguous request framing and disabling downstream connection reuse.

The impact of CVE-2026-2835 is significant for organizations deploying standalone Pingora proxies in front of backend servers that accept HTTP/1.0 requests. Successful exploitation can allow attackers to bypass critical security controls such as ACLs and WAFs, undermining perimeter defenses. Cache poisoning and upstream connection poisoning can lead to widespread distribution of malicious or stale content to legitimate users, damaging trust and potentially enabling further attacks. Cross-user attacks facilitated by request smuggling can result in session hijacking, unauthorized actions, and data leakage. The vulnerability affects the integrity and availability of web services and can compromise confidentiality indirectly through session hijacking. Since no authentication or user interaction is required and the attack can be launched remotely over the network, the attack surface is broad. Although Cloudflare’s CDN is not affected, organizations using Pingora in custom or standalone deployments face a high risk. The absence of known exploits in the wild currently limits immediate threat but the critical severity and ease of exploitation mean attackers may develop exploits rapidly. The vulnerability could disrupt business operations, damage reputation, and lead to data breaches if unmitigated.

To mitigate CVE-2026-2835, organizations should immediately upgrade all Pingora deployments to version 0.8.0 or later, which includes a fix that enforces strict RFC 9112-compliant parsing of HTTP message length headers and disallows close-delimited HTTP/1.0 request bodies. This upgrade is the most effective and comprehensive solution. As an interim measure, implement request filtering rules to reject any HTTP requests that are not HTTP/1.1, contain invalid or conflicting Content-Length headers, have multiple Transfer-Encoding headers, or have Transfer-Encoding headers that do not exactly match “chunked”. Additionally, disable downstream connection reuse to prevent persistent connection exploitation. Network monitoring should be enhanced to detect anomalous HTTP request patterns indicative of request smuggling attempts. Backend servers should be configured to reject ambiguous or malformed HTTP/1.0 requests where possible. Regularly audit proxy and backend configurations to ensure consistent HTTP parsing behavior and alignment with RFC standards. Finally, maintain awareness of threat intelligence updates for any emerging exploits targeting this vulnerability.