Skip to main content

Kong Gateway Enterprise CVE-2026-6338

| EUVDEUVD-2026-36246 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-06-11 02762ae7-200e-4b20-9b2b-a77d5b8fc4cb GHSA-mj44-8qq5-6386
4.9
CVSS 4.0 · Vendor: 02762ae7-200e-4b20-9b2b-a77d5b8fc4cb
Share

Severity by source

Vendor (02762ae7-200e-4b20-9b2b-a77d5b8fc4cb) PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:M/U:X
vuln.today AI
10.0 CRITICAL

Network-accessible with no auth; scope changes to backend with high C/I impact; no availability impact; AC:L because HTTP/1.1 is the standard client protocol in default Kong deployments.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (02762ae7-200e-4b20-9b2b-a77d5b8fc4cb).

CVSS VectorVendor: 02762ae7-200e-4b20-9b2b-a77d5b8fc4cb

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:M/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 16:16 EUVD
Analysis Generated
Jun 11, 2026 - 14:34 vuln.today

DescriptionCVE.org

A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.

AnalysisAI

HTTP request smuggling in Kong Gateway Enterprise (3.4, 3.10-3.14 series) enables unauthenticated remote attackers to desynchronize the HTTP/1.1 processing pipeline between Kong and its backend services, achieving high confidentiality and integrity impact against downstream systems. The parsing flaw (CWE-444) exploits ambiguous header interpretation to poison backend request queues, allowing cross-user request hijacking or malicious content injection. Proof-of-concept exploit code exists (CVSS 4.0 E:P), and no active exploitation is confirmed in CISA KEV at time of analysis.

Technical ContextAI

Kong Gateway Enterprise is an API gateway built on the nginx/OpenResty stack that proxies HTTP traffic between clients and upstream backend services. CWE-444 (Inconsistent Interpretation of HTTP Requests) is the root cause: when two HTTP entities - here Kong and a backend - disagree on request boundary parsing, an attacker can craft ambiguous headers (typically conflicting Content-Length and Transfer-Encoding values) so that one entity treats trailing bytes as part of the current request while the other treats them as the start of the next. The CVSS 4.0 vector confirms this with VC:N/VI:N/VA:N (no direct impact on Kong itself) alongside SC:H/SI:H (high confidentiality and integrity impact on subsequent/backend systems), precisely characterizing the smuggling impact model. The AT:P metric indicates a specific attack precondition: the pipeline must be processing untrusted HTTP/1.1 traffic, which the CVE description explicitly names as the trigger context.

RemediationAI

No specific patched version number is confirmed from the available data - only the vendor advisory URL is referenced. Consult the Kong support article at https://support.konghq.com/support/s/article/CVE-2026-6338 immediately for fix versions across the 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series and apply the vendor-released patch as the primary remediation. As a compensating control pending patching, enforce HTTP/2 or TLS-only connections from untrusted external clients to eliminate the HTTP/1.1 desynchronization attack surface; note this may break legacy HTTP/1.1-only clients and requires careful rollout. Additionally, configure Kong to normalize ambiguous Transfer-Encoding and Content-Length headers before proxying, and restrict direct HTTP/1.1 access to Kong's listener ports using a WAF or upstream load balancer capable of header normalization. Enabling strict HTTP parsing modes in Kong (if available in the affected series) can also reduce the parsing ambiguity that this class of attack exploits.

Share

CVE-2026-6338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy