Skip to main content

Tinyproxy CVE-2026-54387

CRITICAL
HTTP Request/Response Smuggling (CWE-444)
2026-06-17 VulnCheck
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
10.0 CRITICAL

Network-reachable proxy, no auth or user interaction, low complexity; smuggling crosses a trust boundary into the backend so Scope:Changed, with high confidentiality/integrity impact and no availability hit.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
SUSE
CRITICAL
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 20:30 vuln.today
Analysis Generated
Jun 17, 2026 - 20:30 vuln.today

DescriptionCVE.org

Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

AnalysisAI

HTTP request smuggling in Tinyproxy through 1.11.3 lets remote unauthenticated attackers desynchronize the proxy and backend by sending requests carrying both Content-Length and Transfer-Encoding: chunked headers. Tinyproxy forwards both headers verbatim while parsing the body using Content-Length, producing a classic CL.TE desync that enables cache poisoning, access control bypass, and request hijacking against the backend. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed Tinyproxy listener
Delivery
Craft CL.TE hybrid request
Exploit
Send to proxy over HTTP
Install
Proxy forwards both headers, frames by CL
C2
Backend frames by TE and parses smuggled request
Execute
Smuggled request hijacks session or poisons cache
Impact
Pivot to ACL bypass or credential theft

Vulnerability AssessmentAI

Exploitation Attacker needs only network reachability to a Tinyproxy listener (any version up to and including 1.11.3) that forwards to a backend; per CVSS PR:N/UI:N/AT:N the attack is unauthenticated, requires no user interaction, and works against default Tinyproxy configurations because the header-reconciliation flaw is in core request handling, not behind an optional feature. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N) of 9.3 Critical is consistent with the description: any reachable Tinyproxy instance can be hit with crafted HTTP requests, no authentication, no user interaction, with high confidentiality and integrity impact on smuggled-to backends and zero availability impact (a desync rarely DoSes the proxy itself). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reachable to a Tinyproxy listener sends a single HTTP request containing a Content-Length header sized to cover only the visible request, plus a Transfer-Encoding: chunked header whose body smuggles a second hidden request (for example, a POST to an admin endpoint or a request that poisons a downstream cache key). Tinyproxy consumes only Content-Length bytes and forwards the full payload, so the backend treats the trailing bytes as the next pipelined request from a trusted source, allowing the attacker to hijack a victim's session, bypass IP/path ACLs, or poison a shared cache. …
Remediation Upstream fix available (PR #610 / commit ff45d3b); released patched version not independently confirmed, so operators should either build Tinyproxy from a tree containing commit ff45d3bf0e61d0f8ed97ab379d3047f04eb67521 or wait for and install a distribution package that backports it (track https://github.com/tinyproxy/tinyproxy/pull/610 and the VulnCheck advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Tinyproxy 1.11.3 or earlier and assess their exposure and role in request handling. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-54387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy