CVE-2026-40560: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in MIYAGAWA Starman
CVE-2026-40560 is a high-severity vulnerability in MIYAGAWA Starman versions before 0.4018 for Perl. The issue arises because Starman incorrectly prioritizes the Content-Length header over the Transfer-Encoding: chunked header when both are present in an HTTP request, contrary to RFC 7230 section 3.3.3. This improper header precedence enables HTTP Request Smuggling attacks, where an attacker can send crafted requests that are interpreted inconsistently by front-end reverse proxies and the backend server. No official patch or remediation guidance is currently available from the vendor. There are no known exploits in the wild at this time. The vulnerability affects network-exposed services and has a CVSS score of 7.5, indicating high severity.
AI Analysis
Technical Summary
Starman versions prior to 0.4018 for Perl contain an HTTP Request Smuggling vulnerability due to improper handling of HTTP headers. Specifically, when both Content-Length and Transfer-Encoding: chunked headers are included in a request, Starman incorrectly gives precedence to Content-Length instead of Transfer-Encoding as mandated by RFC 7230 section 3.3.3. This inconsistency can be exploited by attackers to smuggle malicious HTTP requests through front-end reverse proxies, potentially bypassing security controls or causing unintended behavior in backend services. The vulnerability is tracked as CVE-2026-40560 and is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests). No patch or official remediation has been published yet.
Potential Impact
Successful exploitation allows an attacker to perform HTTP Request Smuggling attacks against Starman servers, potentially enabling them to bypass security controls implemented by front-end proxies. This can lead to unauthorized request injection or manipulation. The CVSS score of 7.5 reflects high confidentiality impact but no integrity or availability impact. There are no known active exploits reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider deploying additional protections at the proxy or firewall level to detect or block suspicious HTTP requests containing conflicting Content-Length and Transfer-Encoding headers. Monitoring for unusual HTTP traffic patterns may help identify attempted exploitation.
CVE-2026-40560: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in MIYAGAWA Starman
Description
CVE-2026-40560 is a high-severity vulnerability in MIYAGAWA Starman versions before 0.4018 for Perl. The issue arises because Starman incorrectly prioritizes the Content-Length header over the Transfer-Encoding: chunked header when both are present in an HTTP request, contrary to RFC 7230 section 3.3.3. This improper header precedence enables HTTP Request Smuggling attacks, where an attacker can send crafted requests that are interpreted inconsistently by front-end reverse proxies and the backend server. No official patch or remediation guidance is currently available from the vendor. There are no known exploits in the wild at this time. The vulnerability affects network-exposed services and has a CVSS score of 7.5, indicating high severity.
CVSS v3.1
Score 7.5high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Starman versions prior to 0.4018 for Perl contain an HTTP Request Smuggling vulnerability due to improper handling of HTTP headers. Specifically, when both Content-Length and Transfer-Encoding: chunked headers are included in a request, Starman incorrectly gives precedence to Content-Length instead of Transfer-Encoding as mandated by RFC 7230 section 3.3.3. This inconsistency can be exploited by attackers to smuggle malicious HTTP requests through front-end reverse proxies, potentially bypassing security controls or causing unintended behavior in backend services. The vulnerability is tracked as CVE-2026-40560 and is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests). No patch or official remediation has been published yet.
Potential Impact
Successful exploitation allows an attacker to perform HTTP Request Smuggling attacks against Starman servers, potentially enabling them to bypass security controls implemented by front-end proxies. This can lead to unauthorized request injection or manipulation. The CVSS score of 7.5 reflects high confidentiality impact but no integrity or availability impact. There are no known active exploits reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider deploying additional protections at the proxy or firewall level to detect or block suspicious HTTP requests containing conflicting Content-Length and Transfer-Encoding headers. Monitoring for unusual HTTP traffic patterns may help identify attempted exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-04-14T11:35:53.644Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f14b7fcbff5d8610f33f19
Added to database: 4/29/2026, 12:06:23 AM
Last enriched: 5/6/2026, 2:11:45 AM
Last updated: 6/13/2026, 2:24:09 AM
Views: 150
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.