Skip to main content

Vinyl Cache CVE-2026-50052

| EUVDEUVD-2026-34066 LOW
HTTP Request/Response Smuggling (CWE-444)
2026-06-03 mitre GHSA-mwjg-3fm6-9v84
2.3
CVSS 4.0 · Vendor: mitre

Severity by source

Vendor (mitre) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Green

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Green
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
N

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 07:59 vuln.today
CVSS changed
Jun 03, 2026 - 06:22 NVD
2.3 (LOW)
CVE Published
Jun 03, 2026 - 03:56 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.

AnalysisAI

HTTP/2 request parsing in Vinyl Cache and Varnish Cache enables backend request desync (HTTP request smuggling), exploitable for cache poisoning, authentication bypass, and information disclosure against affected deployments. Vinyl Cache prior to 9.0.1 and Varnish Cache prior to 9.0.3, plus legacy pre-split Varnish Cache branches spanning versions 6.0.14 through 8.0.1, are confirmed affected across three distinct CPE lineages. Exploitation is gated behind an explicitly non-default configuration - HTTP/2 must be enabled via the +http2 feature parameter - which substantially limits exposure; no public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

Vinyl Cache and Varnish Cache are HTTP reverse proxy caches that mediate traffic between clients and backend origin servers. CWE-444 (Inconsistent Interpretation of HTTP Requests - HTTP Request/Response Smuggling) identifies the root cause class: the HTTP/2 request parser fails to consistently resolve request framing boundaries, causing the backend server to interpret the byte stream differently than the caching proxy does. This frontend/backend desync allows an attacker to inject a hidden second HTTP request into the backend's processing queue, ahead of or interleaved with requests from other users. The affected CPE strings - cpe:2.3:a:the_vinyl_cache_project:vinyl_cache, cpe:2.3:a:the_vinyl_cache_project:varnish_cache_(pre_split), and cpe:2.3:a:varnish_software:varnish_cache_by_varnish_software - confirm the parsing deficiency spans all three product lineages when HTTP/2 is active, with the vulnerability only reachable through the HTTP/2 code path introduced by the feature +http2 parameter.

RemediationAI

Upgrade Vinyl Cache to version 9.0.1 or later, and Varnish Cache by Varnish Software to version 9.0.3 or later, as detailed in the security advisory at https://vinyl-cache.org/security/VSV00019.html. For pre-split Varnish Cache installations on the 6.0.x (6.0.14-6.0.17) and 7.x-8.x (7.6.0-8.0.1) branches, consult the advisory directly to determine whether backport patches have been released for those branches, as specific fix versions for these older lineages are not confirmed in currently available data. If an immediate upgrade is not feasible, the most targeted compensating control is to remove the +http2 flag from the feature parameter in the Varnish or Vinyl Cache VCL configuration, disabling HTTP/2 entirely - this eliminates the attack vector at its source with no residual exposure from this CVE. The trade-off is reduced performance and multiplexing capability for HTTP/2-capable clients. Placing a hardening TLS-terminating load balancer in front of the cache that strictly normalizes and validates HTTP/2 framing before forwarding is a secondary mitigation, but adds operational complexity and does not guarantee elimination of all desync vectors.

Vendor StatusVendor

Debian

varnish
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 6.5.1-1+deb11u5 -
bookworm, bookworm (security) fixed 7.1.1-2+deb12u1 -
trixie fixed 7.7.0-3+deb13u1 -
trixie (security) fixed 7.7.0-3+deb13u1 -
forky, sid vulnerable 7.7.3-2 -
bookworm not-affected - -
(unstable) fixed (unfixed) -

Share

CVE-2026-50052 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy