CVE-2026-34475 is a vulnerability identified in Varnish Cache, a widely used HTTP accelerator and caching reverse proxy. The issue stems from an incorrect behavior order related to the CWE-180 category: 'Validate Before Canonicalize.' In affected versions (prior to 8.0.1 for Varnish Cache and before 6.0.16r12 for Varnish Enterprise), the software mishandles URLs with a path of '/' in HTTP/1.1 requests when certain req.url scenarios are unchecked. This improper handling occurs because the system validates the URL before canonicalizing it, which can allow specially crafted requests to bypass intended validation checks. The consequence is that an attacker can potentially poison the cache by injecting malicious content or bypass authentication mechanisms that rely on URL validation. The vulnerability does not require privileges or user interaction but has a high attack complexity, meaning exploitation requires specific conditions or knowledge. The flaw primarily affects confidentiality and integrity by allowing unauthorized content injection or access bypass, but it does not impact availability. No public exploits have been reported yet, but the risk remains significant given Varnish Cache's role in accelerating web content delivery and protecting backend servers. The CVSS v3.1 score of 5.4 reflects a medium severity, balancing the potential impact with the complexity of exploitation.

The vulnerability can lead to cache poisoning, where attackers inject malicious or unauthorized content into the cache, causing users to receive incorrect or harmful data. This undermines data integrity and can facilitate further attacks such as phishing or malware distribution. Additionally, the authentication bypass potential could allow unauthorized users to access protected resources, compromising confidentiality. For organizations relying on Varnish Cache to secure and accelerate web applications, this could result in data breaches, loss of user trust, and regulatory compliance violations. Since Varnish Cache is commonly used by large websites, CDNs, and cloud services, the scope of impact is broad. However, the high attack complexity reduces the likelihood of widespread exploitation. The absence of known exploits in the wild currently limits immediate risk but does not eliminate it. Failure to address this vulnerability could expose organizations to targeted attacks, especially those with high-value web assets.

Organizations should upgrade Varnish Cache to version 8.0.1 or later and Varnish Enterprise to 6.0.16r12 or later, where this vulnerability is fixed. If immediate patching is not feasible, administrators should implement strict input validation and URL normalization at the web application firewall (WAF) or reverse proxy level to ensure URLs are properly canonicalized before validation. Monitoring and logging of unusual or malformed requests targeting the root path '/' should be enhanced to detect potential exploitation attempts. Additionally, review and tighten cache key generation logic to prevent unauthorized cache entries. Employ network segmentation and access controls to limit exposure of Varnish Cache instances to untrusted networks. Regularly audit and update security policies related to caching infrastructure. Finally, stay informed about any emerging exploits or patches related to this CVE.