CVE-2026-2835: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in Cloudflare https://github.com/cloudflare/pingora
An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora’s request framing from backend servers’. Impact This vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to: * Bypass proxy-level ACL controls and WAF logic * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP Cloudflare's CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests. Mitigation: Pingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited. As a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact “chunked” string match.
AI Analysis
Technical Summary
CVE-2026-2835 identifies a critical HTTP Request Smuggling vulnerability in Cloudflare's Pingora HTTP parser, specifically in its handling of HTTP/1.0 requests and Transfer-Encoding headers. The root cause is Pingora's incorrect allowance of HTTP/1.0 request bodies to be close-delimited and improper parsing of multiple Transfer-Encoding values. This leads to a desynchronization between Pingora's request framing and that of backend servers, enabling attackers to inject crafted HTTP/1.0 requests that are interpreted differently by Pingora and the backend. Such desync can be exploited to bypass proxy-level access control lists (ACLs) and Web Application Firewall (WAF) protections, poison caches and upstream connections causing legitimate users to receive malicious responses, and perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP address. The vulnerability primarily impacts standalone Pingora deployments placed in front of backends that accept HTTP/1.0 requests. Cloudflare’s own CDN infrastructure is unaffected due to its strict enforcement of HTTP/1.1 requests, rejection of ambiguous framing, and limitation to a single Transfer-Encoding: chunked header. The vulnerability has been assigned a CVSS 4.0 score of 9.3, reflecting its critical severity with network attack vector, no required privileges or user interaction, and high impact on integrity and availability. Mitigation involves upgrading to Pingora version 0.8.0 or later, which fixes the issue by adhering strictly to RFC 9112 guidelines, including disallowing close-delimited HTTP request bodies and correctly parsing message length headers. As a temporary workaround, users can implement request filtering to reject non-HTTP/1.1 requests, requests with invalid Content-Length headers, multiple Transfer-Encoding headers, or Transfer-Encoding headers not exactly matching “chunked”. No public exploits have been reported to date.
Potential Impact
The impact of CVE-2026-2835 is significant for organizations using standalone Pingora deployments in front of backend servers that accept HTTP/1.0 requests. Successful exploitation allows attackers to bypass critical security controls such as proxy ACLs and WAFs, undermining perimeter defenses. Cache poisoning and upstream connection poisoning can lead to widespread delivery of malicious or unauthorized content to legitimate users, potentially causing data leakage, session hijacking, or unauthorized actions performed on behalf of users. Cross-user attacks facilitated by request smuggling can compromise session integrity and confidentiality, leading to unauthorized access and data breaches. The desynchronization can also disrupt service availability by confusing backend servers with malformed requests. Although Cloudflare’s CDN infrastructure is not affected, organizations deploying Pingora independently or in hybrid environments face elevated risk. The vulnerability’s critical CVSS score reflects the ease of exploitation over the network without authentication or user interaction, combined with high impact on integrity and availability. This could lead to severe operational disruptions, data compromise, and erosion of trust in affected services.
Mitigation Recommendations
To mitigate CVE-2026-2835, organizations should immediately upgrade Pingora to version 0.8.0 or later, which implements RFC 9112-compliant HTTP parsing and disallows close-delimited HTTP/1.0 request bodies. This upgrade is the definitive fix and should be prioritized in all environments using Pingora. As an interim measure, implement strict request filtering to reject any HTTP requests that are not HTTP/1.1, have invalid or ambiguous Content-Length headers, contain multiple Transfer-Encoding headers, or have Transfer-Encoding values other than an exact “chunked” string. Disabling downstream connection reuse can also reduce the risk of request smuggling attacks. Additionally, review backend server configurations to minimize acceptance of HTTP/1.0 requests where possible, and monitor logs for anomalous request patterns indicative of smuggling attempts. Network-level protections such as rate limiting and anomaly detection can help identify exploitation attempts. Finally, ensure that all proxy and backend components are updated and configured to handle HTTP requests consistently to prevent desynchronization.
Affected Countries
United States, Canada, United Kingdom, Germany, France, Netherlands, Australia, Japan, South Korea, India, Brazil
CVE-2026-2835: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in Cloudflare https://github.com/cloudflare/pingora
Description
An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora’s request framing from backend servers’. Impact This vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to: * Bypass proxy-level ACL controls and WAF logic * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP Cloudflare's CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests. Mitigation: Pingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited. As a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact “chunked” string match.
AI-Powered Analysis
Technical Analysis
CVE-2026-2835 identifies a critical HTTP Request Smuggling vulnerability in Cloudflare's Pingora HTTP parser, specifically in its handling of HTTP/1.0 requests and Transfer-Encoding headers. The root cause is Pingora's incorrect allowance of HTTP/1.0 request bodies to be close-delimited and improper parsing of multiple Transfer-Encoding values. This leads to a desynchronization between Pingora's request framing and that of backend servers, enabling attackers to inject crafted HTTP/1.0 requests that are interpreted differently by Pingora and the backend. Such desync can be exploited to bypass proxy-level access control lists (ACLs) and Web Application Firewall (WAF) protections, poison caches and upstream connections causing legitimate users to receive malicious responses, and perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP address. The vulnerability primarily impacts standalone Pingora deployments placed in front of backends that accept HTTP/1.0 requests. Cloudflare’s own CDN infrastructure is unaffected due to its strict enforcement of HTTP/1.1 requests, rejection of ambiguous framing, and limitation to a single Transfer-Encoding: chunked header. The vulnerability has been assigned a CVSS 4.0 score of 9.3, reflecting its critical severity with network attack vector, no required privileges or user interaction, and high impact on integrity and availability. Mitigation involves upgrading to Pingora version 0.8.0 or later, which fixes the issue by adhering strictly to RFC 9112 guidelines, including disallowing close-delimited HTTP request bodies and correctly parsing message length headers. As a temporary workaround, users can implement request filtering to reject non-HTTP/1.1 requests, requests with invalid Content-Length headers, multiple Transfer-Encoding headers, or Transfer-Encoding headers not exactly matching “chunked”. No public exploits have been reported to date.
Potential Impact
The impact of CVE-2026-2835 is significant for organizations using standalone Pingora deployments in front of backend servers that accept HTTP/1.0 requests. Successful exploitation allows attackers to bypass critical security controls such as proxy ACLs and WAFs, undermining perimeter defenses. Cache poisoning and upstream connection poisoning can lead to widespread delivery of malicious or unauthorized content to legitimate users, potentially causing data leakage, session hijacking, or unauthorized actions performed on behalf of users. Cross-user attacks facilitated by request smuggling can compromise session integrity and confidentiality, leading to unauthorized access and data breaches. The desynchronization can also disrupt service availability by confusing backend servers with malformed requests. Although Cloudflare’s CDN infrastructure is not affected, organizations deploying Pingora independently or in hybrid environments face elevated risk. The vulnerability’s critical CVSS score reflects the ease of exploitation over the network without authentication or user interaction, combined with high impact on integrity and availability. This could lead to severe operational disruptions, data compromise, and erosion of trust in affected services.
Mitigation Recommendations
To mitigate CVE-2026-2835, organizations should immediately upgrade Pingora to version 0.8.0 or later, which implements RFC 9112-compliant HTTP parsing and disallows close-delimited HTTP/1.0 request bodies. This upgrade is the definitive fix and should be prioritized in all environments using Pingora. As an interim measure, implement strict request filtering to reject any HTTP requests that are not HTTP/1.1, have invalid or ambiguous Content-Length headers, contain multiple Transfer-Encoding headers, or have Transfer-Encoding values other than an exact “chunked” string. Disabling downstream connection reuse can also reduce the risk of request smuggling attacks. Additionally, review backend server configurations to minimize acceptance of HTTP/1.0 requests where possible, and monitor logs for anomalous request patterns indicative of smuggling attempts. Network-level protections such as rate limiting and anomaly detection can help identify exploitation attempts. Finally, ensure that all proxy and backend components are updated and configured to handle HTTP requests consistently to prevent desynchronization.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cloudflare
- Date Reserved
- 2026-02-19T21:24:24.726Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a8c4c1d1a09e29cb83c419
Added to database: 3/4/2026, 11:48:17 PM
Last enriched: 3/5/2026, 12:02:35 AM
Last updated: 3/5/2026, 3:51:57 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-29127: CWE-269 Improper Privilege Management in International Datacasting Corporation SFX2100 Satellite Receiver
CriticalCVE-2026-26034: Incorrect default permissions in Dell Inc. UPS Multi-UPS Management Console (MUMC)
HighCVE-2026-26033: Unquoted search path or element in Dell Inc. UPS Multi-UPS Management Console (MUMC)
MediumCVE-2024-57854: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in DOUGDUDE Net::NSCA::Client
HighCVE-2026-3381: CWE-1395 Dependency on Vulnerable Third-Party Component in PMQS Compress::Raw::Zlib
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.