Skip to main content

daphne CVE-2026-44546

| EUVDEUVD-2026-34092 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-06-03 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 GHSA-xh68-hfp5-5x5m
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Red Hat
3.7 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Severity Changed
Jun 15, 2026 - 20:07 NVD
LOW MEDIUM
CVSS changed
Jun 15, 2026 - 20:07 NVD
3.7 (LOW) 5.3 (MEDIUM)
Analysis Generated
Jun 03, 2026 - 14:32 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 93 pypi packages depend on daphne (45 direct, 50 indirect)

Ecosystem-wide dependent count for version 4.2.2.

DescriptionNVD

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.

AnalysisAI

Header injection via parser differential in daphne before 4.2.2 allows unauthenticated remote attackers to smuggle synthetic headers into the ASGI scope received by Django applications during WebSocket handshake processing. The root cause is that Twisted (which daphne uses to parse inbound HTTP) ignores six specific Unicode bytes as line separators, while autobahn (which daphne feeds for WebSocket negotiation) calls Python's str.splitlines() and recognizes them - causing a single header value to be split into multiple injected header lines. No public exploit has been identified at time of analysis, and CVSS scores this at 3.7 (Low) due to high attack complexity, though real-world severity scales with how heavily the downstream application trusts ASGI-scope headers for security decisions.

Technical ContextAI

daphne is the ASGI server backing Django Channels, layering WebSocket support over Twisted's HTTP engine with autobahn handling the WebSocket handshake. The flaw is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests - HTTP Request/Response Smuggling): daphne reconstructs a raw HTTP byte stream from Twisted's pre-parsed headers and hands it to autobahn for WebSocket upgrade validation. Twisted's HTTP parser does not treat \x0b (vertical tab), \x0c (form feed), \x1c (file separator), \x1d (group separator), \x1e (record separator), or \x85 (Unicode NEL - next line) as line-break characters, so it passes a header value containing these bytes through intact. autobahn, however, decodes the header value into a Python str and calls str.splitlines(), which per the Unicode standard recognizes all of those code points as line terminators. This splits one header value into multiple lines, creating synthetic header key-value pairs that populate the ASGI scope dictionary with attacker-controlled data that never existed in the original Twisted-parsed request. The fix in 4.2.2 closes the gap by having daphne validate and reject any request containing these bytes in a header value with a 400 response before autobahn ever sees it. No CPE strings were included in the provided intelligence.

RemediationAI

The primary fix is to upgrade daphne to version 4.2.2 or later; this release adds input validation that rejects any inbound HTTP request containing the bytes \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 in any header value with a 400 Bad Request, preventing the malformed header from reaching autobahn. The fix is documented at https://github.com/django/daphne/blob/main/CHANGELOG.txt. If immediate upgrade is not feasible, a compensating control is to deploy a hardening reverse proxy (nginx, HAProxy) in front of daphne configured to drop or reject requests containing these non-ASCII control bytes in header values; note that proxy behavior with unusual Unicode bytes is implementation-specific and must be explicitly tested and verified rather than assumed. A second compensating control is to add Django middleware that audits the ASGI scope headers for unexpected keys before they reach application logic, reducing the attack surface without blocking the request at the protocol layer - this does not eliminate the injection but limits exploitation to headers the application actually trusts. Neither workaround is a substitute for patching.

Vendor StatusVendor

Share

CVE-2026-44546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy