Skip to main content

mtrudel bandit CVE-2026-39805

| EUVDEUVD-2026-26712 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-05-01 EEF GHSA-c67r-gc9j-2qf7
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
7.4 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Source Code Evidence Fetched
May 01, 2026 - 23:15 vuln.today
Analysis Generated
May 01, 2026 - 23:15 vuln.today
CVSS changed
May 01, 2026 - 21:22 NVD
6.3 (MEDIUM)
EUVD ID Assigned
May 01, 2026 - 21:01 euvd
EUVD-2026-26712
Analysis Generated
May 01, 2026 - 21:01 vuln.today
Patch released
May 01, 2026 - 21:01 nvd
Patch available
CVE Published
May 01, 2026 - 20:34 nvd
MEDIUM 6.3

DescriptionCVE.org

Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers.

'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error.

When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.

This issue affects bandit: before 1.11.0.

AnalysisAI

HTTP request smuggling in mtrudel bandit before version 1.11.0 allows unauthenticated attackers to bypass edge security controls when the application sits behind a proxy that interprets duplicate Content-Length headers differently. The vulnerability stems from Bandit accepting only the first Content-Length header while proxies may use the last value, causing request framing desynchronization that enables smuggling past WAF rules, path-based ACLs, rate limiting, and audit logging. CVSS 6.3 (AV:N/AC:L/AT:P) indicates network-accessible exploitation with some attack timing complexity; no public exploit code or active KEV listing identified at analysis time, but RFC 9112 non-compliance creates a known attack pattern.

Technical ContextAI

The vulnerability exists in Bandit's HTTP/1.1 header parsing logic, specifically in 'Elixir.Bandit.Headers':get_content_length/1 within lib/bandit/headers.ex. The Elixir function List.keyfind/3 returns only the first matching header when multiple Content-Length headers exist in an HTTP request, violating RFC 9112 Section 6.3 which mandates rejection of duplicate Content-Length headers as unrecoverable framing errors. When Bandit operates behind a reverse proxy (common in edge deployments), the proxy may normalize the request by selecting the last Content-Length value and forwarding it, while Bandit reads the body based on the first value. This creates a desynchronized framing state: bytes intended for the second request (as interpreted by Bandit's logic) remain in the keep-alive connection buffer and are processed as a separate pipelined HTTP request, bypassing upstream security controls that evaluated the original request. The attack leverages inconsistent HTTP semantics interpretation between two network hops - a classic request smuggling vulnerability (CWE-444).

RemediationAI

Vendor-released patch: bandit 1.11.0 or later. The upstream fix modifies get_content_length/1 to reject all requests with multiple Content-Length headers (even if values are identical) by returning an error, causing Bandit to return HTTP 400 Bad Request per RFC 9112 Section 6.3. Deploy bandit 1.11.0+ immediately in all environments. For organizations unable to upgrade immediately, implement the following compensating controls: (1) Disable HTTP keep-alive on the reverse proxy layer by setting 'Connection: close' in responses, preventing pipelined request exploitation on the same connection (trade-off: increased connection overhead); (2) Configure the upstream proxy to reject requests with multiple Content-Length headers before forwarding to Bandit, e.g., using nginx 'if ($http_content_length_count > 1)' validation or equivalent WAF rules (trade-off: must maintain proxy ruleset in sync with Bandit releases); (3) Run Bandit behind a strict rate-limiting and request inspection layer that treats request smuggling attempts as attack signals (trade-off: adds operational complexity). Patch availability confirmed via GitHub commit f2ca636eb6df385219957e8934e9fc6efa1630d1.

Vendor StatusVendor

Share

CVE-2026-39805 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy