CVE-2026-34441 is a vulnerability classified under CWE-444 (Inconsistent Interpretation of HTTP Requests), commonly known as HTTP Request Smuggling, found in the cpp-httplib library, a popular C++11 single-header HTTP/HTTPS library. Versions prior to 0.40.0 do not properly consume the request body in the static file handler for GET requests. In HTTP/1.1 keep-alive connections, unread bytes from the request body remain on the TCP stream and are mistakenly interpreted as the start of a new HTTP request by the server. This allows an attacker to craft a GET request containing an embedded arbitrary HTTP request in its body. When the server processes this, it treats the embedded request as a separate, legitimate request, enabling request smuggling attacks. Such attacks can cause desynchronization between front-end and back-end servers or proxies, leading to security bypasses, cache poisoning, or unauthorized actions. The vulnerability requires no authentication or user interaction but has a higher attack complexity due to the need to craft precise HTTP requests. The issue was addressed in cpp-httplib version 0.40.0 by ensuring the request body is fully consumed, preventing leftover bytes from being misinterpreted. No public exploits have been reported yet, but the vulnerability poses a risk to any application embedding vulnerable versions of cpp-httplib in their HTTP handling stack.

The primary impact of this vulnerability is the potential for HTTP Request Smuggling attacks, which can lead to several security issues including bypassing security controls such as firewalls or WAFs, cache poisoning, session hijacking, and unauthorized request execution. Organizations using cpp-httplib in web servers, proxies, or embedded HTTP services may experience partial request confusion, allowing attackers to manipulate how requests are processed internally. This can compromise confidentiality and integrity by enabling unauthorized access or data manipulation. Although the CVSS score is medium (4.8), the impact can escalate depending on the deployment context, especially if cpp-httplib is used in critical infrastructure or exposed services. The vulnerability does not affect availability directly but can facilitate attacks that degrade service or cause unexpected behavior. Since cpp-httplib is a widely used library in C++ projects, the scope includes any organization embedding this library without the patch, particularly those maintaining custom HTTP servers or IoT devices.

The most effective mitigation is to upgrade cpp-httplib to version 0.40.0 or later, where the vulnerability is patched by ensuring the request body is fully consumed before processing subsequent requests. For organizations unable to upgrade immediately, implementing strict input validation and limiting HTTP/1.1 keep-alive connections can reduce risk. Deploying front-end web application firewalls (WAFs) or reverse proxies that detect and block malformed or suspicious HTTP requests can help mitigate exploitation attempts. Additionally, monitoring HTTP traffic for anomalies such as unexpected request patterns or embedded requests can provide early detection. Developers should audit their use of cpp-httplib to confirm no custom handlers bypass request body consumption. Finally, applying defense-in-depth by isolating vulnerable services and restricting network exposure minimizes potential attack surfaces.