Skip to main content

Tinyproxy CVE-2026-55202

HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-06-17 VulnCheck
8.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.8 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Remote, no auth, single crafted request (AV:N/AC:L/PR:N/UI:N); stats disclosure gives C:H, transparent-proxy misrouting gives limited I:L, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 18, 2026 - 03:46 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 03:46 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 03:38 vuln.today
cvss_changed
Severity Changed
Jun 18, 2026 - 03:38 NVD
CRITICAL HIGH
CVSS changed
Jun 18, 2026 - 03:38 NVD
9.3 (CRITICAL) 8.8 (HIGH)
Source Code Evidence Fetched
Jun 17, 2026 - 20:03 vuln.today
Analysis Generated
Jun 17, 2026 - 20:03 vuln.today

DescriptionCVE.org

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

AnalysisAI

Authentication bypass in Tinyproxy through 1.11.3 lets unauthenticated remote attackers reach the internal statistics page and smuggle transparent-proxy requests by forging or port-manipulating the HTTP Host header, because stathost detection used a brittle strcmp against the configured hostname. The flaw is a CWE-444 request-interpretation inconsistency reported by VulnCheck; no public exploit identified at time of analysis, though the upstream fix (commit 09312a1) and a detailed PR diff are publicly available, making a working PoC trivial to reconstruct.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Tinyproxy listener
Delivery
Probe for configured StatHost name
Exploit
Send HTTP request with crafted Host header (stathost:port)
Execution
Bypass strcmp-based stathost check
Persist
Receive internal statistics page or misroute transparent-proxy connection
Impact
Harvest proxy metadata or pivot past egress controls

Vulnerability AssessmentAI

Exploitation Tinyproxy must be running a version up to and including 1.11.3 and reachable over the network from the attacker (the daemon's listening interface, default 8888, is exposed to attacker-controlled traffic). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N is consistent with a fully remote, unauthenticated, low-complexity attack that primarily breaches confidentiality (statistics disclosure) with secondary integrity impact through transparent-proxy request misrouting; availability is unaffected, which matches the described behavior. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a Tinyproxy instance on the network sends an HTTP request whose Host header is set to the configured stathost value with an appended ':1234' port suffix (or otherwise crafted to defeat strcmp), causing Tinyproxy to serve the internal statistics page without authentication and disclose proxy version, connection counts, and client activity. The same Host/URL parsing mismatch can be abused in transparent-proxy mode to misroute a connection to an unintended upstream and bypass StatHost-based access controls. …
Remediation Upstream fix available as commit 09312a1 (PR #606); a released, tagged patched version is not independently confirmed in the supplied data, so rebuild from current main or apply the src/reqs.c patch introducing is_stathost() and its two call sites. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Tinyproxy 1.11.3 and earlier installations and restrict network access to internal users only if patches cannot be immediately deployed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-55202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy