Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:M/U:X
Network-accessible with no auth; scope changes to backend with high C/I impact; no availability impact; AC:L because HTTP/1.1 is the standard client protocol in default Kong deployments.
Primary rating from Vendor (02762ae7-200e-4b20-9b2b-a77d5b8fc4cb).
CVSS VectorVendor: 02762ae7-200e-4b20-9b2b-a77d5b8fc4cb
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:M/U:X
Lifecycle Timeline
2DescriptionCVE.org
A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.
AnalysisAI
HTTP request smuggling in Kong Gateway Enterprise (3.4, 3.10-3.14 series) enables unauthenticated remote attackers to desynchronize the HTTP/1.1 processing pipeline between Kong and its backend services, achieving high confidentiality and integrity impact against downstream systems. The parsing flaw (CWE-444) exploits ambiguous header interpretation to poison backend request queues, allowing cross-user request hijacking or malicious content injection. Proof-of-concept exploit code exists (CVSS 4.0 E:P), and no active exploitation is confirmed in CISA KEV at time of analysis.
Technical ContextAI
Kong Gateway Enterprise is an API gateway built on the nginx/OpenResty stack that proxies HTTP traffic between clients and upstream backend services. CWE-444 (Inconsistent Interpretation of HTTP Requests) is the root cause: when two HTTP entities - here Kong and a backend - disagree on request boundary parsing, an attacker can craft ambiguous headers (typically conflicting Content-Length and Transfer-Encoding values) so that one entity treats trailing bytes as part of the current request while the other treats them as the start of the next. The CVSS 4.0 vector confirms this with VC:N/VI:N/VA:N (no direct impact on Kong itself) alongside SC:H/SI:H (high confidentiality and integrity impact on subsequent/backend systems), precisely characterizing the smuggling impact model. The AT:P metric indicates a specific attack precondition: the pipeline must be processing untrusted HTTP/1.1 traffic, which the CVE description explicitly names as the trigger context.
RemediationAI
No specific patched version number is confirmed from the available data - only the vendor advisory URL is referenced. Consult the Kong support article at https://support.konghq.com/support/s/article/CVE-2026-6338 immediately for fix versions across the 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series and apply the vendor-released patch as the primary remediation. As a compensating control pending patching, enforce HTTP/2 or TLS-only connections from untrusted external clients to eliminate the HTTP/1.1 desynchronization attack surface; note this may break legacy HTTP/1.1-only clients and requires careful rollout. Additionally, configure Kong to normalize ambiguous Transfer-Encoding and Content-Length headers before proxying, and restrict direct HTTP/1.1 access to Kong's listener ports using a WAF or upstream load balancer capable of header normalization. Enabling strict HTTP parsing modes in Kong (if available in the affected series) can also reduce the parsing ambiguity that this class of attack exploits.
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36246
GHSA-mj44-8qq5-6386