Skip to main content

Haproxy CVE-2026-33555

| EUVDEUVD-2026-21997 MEDIUM
Improper Handling of Length Parameter Inconsistency (CWE-130)
2026-04-13 mitre GHSA-5mp8-rq5m-pj7m
5.8
CVSS 3.1 · NVD
Temporal: 4.0
Share

Severity by source

NVD PRIMARY
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CIRCL (temporal)
4.0 MEDIUM
cvss
SUSE
3.1 LOW
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Red Hat
4.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

7
CVSS changed
Jun 29, 2026 - 15:37 NVD
4.0 (MEDIUM) 5.8 (MEDIUM)
Patch released
Apr 22, 2026 - 19:17 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
3.3.6
Analysis Generated
Apr 13, 2026 - 17:14 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 16:45 euvd
EUVD-2026-21997
Analysis Generated
Apr 13, 2026 - 16:45 vuln.today
CVE Published
Apr 13, 2026 - 00:00 nvd
MEDIUM 4.0

DescriptionNVD

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

AnalysisAI

HAProxy versions 2.6 through 3.3.5 fail to validate that received HTTP/3 message body lengths match the announced Content-Length header when streams close via empty-payload frames, enabling request smuggling and backend desynchronization attacks. An unauthenticated remote attacker can exploit this via network-level HTTP/3 traffic to cause integrity violations (integrity impact rated low by CVSS), though practical exploitation requires high attack complexity. No public exploit code or active CISA KEV designation has been confirmed; the moderate CVSS 4.0 and high attack complexity suggest this is a specialized HTTP/3 protocol abuse requiring precise crafting.

Technical ContextAI

HAProxy's HTTP/3 parser implements QUIC-based HTTP semantics but contains a validation gap in the stream lifecycle. The vulnerability stems from CWE-130 (Improper Handling of Length Parameters), where the parser accepts stream termination (empty-payload frames closing the stream) without verifying that the cumulative bytes received match the Content-Length header declared at message start. This desynchronization allows an attacker to inject unintended message boundaries: a frontend client might believe a request ends at one point while the backend interprets it differently, creating a classic request smuggling window. Affected versions include HAProxy 2.6 through 3.3.5 across all operating systems (CPE: cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*). The issue is specific to the HTTP/3 protocol path (QUIC), not HTTP/1.1 or HTTP/2, making it a protocol-specific parser flaw.

RemediationAI

Upgrade HAProxy to version 3.3.6 or later, which includes the fix committed to the upstream repository (https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84). If immediate patching is not feasible, disable HTTP/3 support in HAProxy configuration to eliminate the attack surface; this involves removing QUIC listener configurations and reverting to HTTP/1.1 or HTTP/2 as the default protocol. Organizations using HAProxy 2.6 through 3.3.5 should prioritize patching and monitor mailing list announcements (https://www.mail-archive.com/haproxy@formilux.org/) for additional security guidance. Testing of patched versions in a staging environment is recommended before production deployment.

CVE-2016-5360 HIGH
7.5 Jun 30

HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows remote attackers to cause a denial of service

CVE-2021-40346 HIGH POC
7.5 Sep 08

An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request

CVE-2019-18277 HIGH POC
7.5 Oct 23

A flaw was found in HAProxy before 2.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

CVE-2019-14241 HIGH POC
7.5 Jul 23

HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_

CVE-2023-40225 HIGH POC
7.2 Aug 10

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2

CVE-2019-8953 MEDIUM POC
6.1 Feb 20

The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, re

CVE-2019-19330 CRITICAL
9.8 Nov 27

The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd

CVE-2023-25725 CRITICAL
9.1 Feb 14

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situatio

CVE-2026-55203 CRITICAL
9.0 Jun 18

FastCGI framing desynchronization in HAProxy through 3.4.0 stems from a 16-bit integer overflow in the fcgi_conn demux r

CVE-2014-6269 MEDIUM POC
5.0 Sep 30

Multiple integer overflows in the http_request_forward_body function in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 a

CVE-2020-11100 HIGH
8.8 Apr 02

In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can w

CVE-2026-55204 HIGH
8.7 Jun 18

Denial of service in HAProxy through 3.4.0 allows remote unauthenticated attackers to crash worker processes by triggeri

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.0 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

CVE-2026-33555 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy