Skip to main content

Varnish Enterprise CVE-2026-34475

| EUVDEUVD-2026-16801 MEDIUM
Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)
2026-03-27 cve@mitre.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
8.0.1,6.0.17
EUVD ID Assigned
Mar 27, 2026 - 20:22 euvd
EUVD-2026-16801
Analysis Generated
Mar 27, 2026 - 20:22 vuln.today
CVE Published
Mar 27, 2026 - 20:16 nvd
MEDIUM 5.4

DescriptionCVE.org

Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.

AnalysisAI

Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12 mishandle HTTP/1.1 URLs with a root path (/) in unchecked req.url scenarios, enabling cache poisoning and authentication bypass attacks. Unauthenticated remote attackers can exploit this with moderate complexity to poison cached content or bypass authentication controls affecting downstream clients. No active exploitation has been confirmed, though the vulnerability carries a 5.4 CVSS score reflecting network accessibility and partial impact to confidentiality and integrity.

Technical ContextAI

Varnish Cache is an HTTP accelerator and reverse proxy that caches web content to improve performance. The vulnerability stems from improper URL handling in HTTP/1.1 request processing, specifically when the path component is set to the root path (/). CWE-180 (Incorrect Behavior of Shift and Rotation Operator) typically involves bitwise operation errors, but in this context likely indicates unsafe transformation or normalization of URL path components. When req.url is not properly validated before use in caching decisions or authentication checks, attackers can craft malicious requests with root paths that bypass security controls. The affected versions are Varnish Cache before 8.0.1 (CPE: cpe:2.3:a:varnish:varnish_cache:*:*:*:*:*:*:*:*) and Varnish Enterprise before 6.0.16r12 (CPE: cpe:2.3:a:varnish:varnish_enterprise:*:*:*:*:*:*:*:*).

RemediationAI

Upgrade Varnish Cache to version 8.0.1 or later, which includes the fix for improper HTTP/1.1 URL path handling. Varnish Enterprise users should update to 6.0.16r12 or later. For users unable to immediately patch, review and strengthen validation of req.url in Varnish Configuration Language (VCL) policies, ensuring that root path requests (/) are explicitly handled and do not bypass intended caching or authentication logic. Disable or restrict caching of authentication-sensitive responses until patched. Consult the official advisory at https://vinyl-cache.org/security/VSV00018.html for detailed configuration workarounds and patch deployment instructions.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-34475 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy