Skip to main content

Tinyproxy CVE-2026-54388

CRITICAL
HTTP Request/Response Smuggling (CWE-444)
2026-06-17 VulnCheck
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
10.0 CRITICAL

Remote unauthenticated smuggling via crafted headers (AV:N/AC:L/PR:N/UI:N); scope changes as the proxy mis-delivers requests to a separate backend authority (S:C); confidentiality and integrity of smuggled/poisoned traffic are high, availability not directly impacted.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
CRITICAL
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 20:32 vuln.today
Analysis Generated
Jun 17, 2026 - 20:32 vuln.today

DescriptionCVE.org

Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

AnalysisAI

HTTP request smuggling in Tinyproxy through 1.11.3 allows remote unauthenticated attackers to desynchronize the proxy and its backend by sending requests with multiple Content-Length headers having differing values. Because Tinyproxy forwards all duplicate Content-Length headers while parsing only the first value, downstream servers may interpret request boundaries differently, enabling cache poisoning, access control bypass, and request hijacking. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Tinyproxy instance
Delivery
Craft request with duplicate Content-Length headers
Exploit
Send through proxy to backend
Execution
Desynchronize proxy/backend parsers
Persist
Smuggle attacker-controlled request
Impact
Poison cache or bypass auth controls

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to a Tinyproxy instance at or below version 1.11.3 that is forwarding HTTP traffic to a backend whose Content-Length parser disagrees with Tinyproxy's first-header preference (a near-universal condition given common backends like nginx, Apache, and Node-based services). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N) and the 9.3 base score reflect that exploitation requires only an attacker-reachable Tinyproxy instance and crafted HTTP traffic, with no authentication, user interaction, or unusual conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a vulnerable Tinyproxy instance - for example, an internal user, a tenant on a shared proxy, or any client of an exposed forward proxy - sends a single TCP request containing two Content-Length headers with differing values plus a smuggled second request hidden in the body. Tinyproxy uses the first Content-Length to determine body length and forwards both headers to the backend, which uses the second value, causing the backend to interpret the trailing bytes as a new request attributed to the next legitimate client. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the changes in commit 364cdb6 (https://github.com/tinyproxy/tinyproxy/commit/364cdb67e0ea00a8e4a7037e2693e0711e816adb) by upgrading to a build that includes the patch or by rebuilding from current main, since no tagged release beyond 1.11.3 is referenced in the input. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Tinyproxy deployments and assess which handle sensitive traffic or enforce security policies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-54388 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy