Skip to main content

CVE-2026-26365

MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-02-23 cve@mitre.org
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 23, 2026 - 09:17 nvd
MEDIUM 4.0

DescriptionCVE.org

Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling.

AnalysisAI

HTTP request smuggling in Akamai Ghost CDN edge servers before 2026-02-06 allows remote attackers to craft malicious requests with conflicting hop-by-hop headers that cause improper message framing when forwarded to origin servers. An attacker can exploit this to inject unauthorized requests or bypass security controls by manipulating how the origin server interprets the request body. No patch is currently available.

Technical ContextAI

This vulnerability (CWE-444: HTTP Request/Response Smuggling) affects Akamai Ghost on Akamai CDN edge server. Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling.

Affected ProductsAI

Product: Akamai Ghost on Akamai CDN edge server. Versions: up to 2026-02.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Share

CVE-2026-26365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy