Skip to main content

CWE-444

HTTP Request/Response Smuggling

268 CVEs Avg CVSS 7.1 MITRE
49
CRITICAL
101
HIGH
108
MEDIUM
8
LOW
64
POC
2
KEV

Monthly

CVE-2026-12606 MEDIUM PATCH This Month

HTTP request smuggling in Eclipse Grizzly before 5.0.2 stems from the framework's inability to correctly parse malformed trailer header lines in chunked HTTP requests, enabling CWE-444 boundary-confusion attacks. Remote unauthenticated attackers who can send crafted chunked requests through a front-end proxy to a GlassFish-backed server can cause the proxy and Grizzly to disagree on request boundaries, smuggling attacker-controlled content as the prefix of a subsequent legitimate user's request. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS 4.0 AT:P condition signals that specific deployment prerequisites must be met.

Request Smuggling Information Disclosure Eclipse Glassfish
NVD
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-27690 CRITICAL PATCH NEWS Act Now

Request-response desynchronization in SAP Approuter lets an unauthenticated remote attacker send a specially crafted HTTP request that smuggles a second request past the front end, allowing exposure of other users' HTTP responses and denial of service against the application. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) and was reported by SAP; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SAP Request Smuggling Information Disclosure Sap Approuter
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-50197 Go HIGH POC PATCH GHSA This Week

Authorization bypass in Zalando Skipper (<= v0.26.8) lets remote unauthenticated attackers defeat the opaAuthorizeRequestWithBody OPA filter by sending the request body with HTTP/1.1 Transfer-Encoding: chunked or HTTP/2 framing that omits content-length. Because net/http sets ContentLength = -1 for such requests, Skipper's body extractor buffers an empty body, so Rego policies that gate on input.parsed_body evaluate against an empty document, fail open, and forward the forbidden payload upstream. Publicly available exploit code exists (a full E2E Go PoC is embedded in the GHSA advisory); the flaw is not in CISA KEV and no EPSS score was provided.

Request Smuggling Denial Of Service
NVD GitHub
CVSS 3.1
8.7
CVE-2025-3110 MEDIUM This Month

HTTP request smuggling in OpenVPN Access Server 2.7.2 through 3.1.0 enables remote unauthenticated attackers to inject or manipulate backend requests when the Access Server is deployed behind a reverse proxy. The server incorrectly accepts bare line-feed (LF-only, without carriage return) characters inside HTTP header values, creating a parsing discrepancy between the front-end proxy and the Access Server backend - the hallmark of CWE-444. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.9 with integrity impact on both the vulnerable and subsequent systems indicates meaningful risk in typical enterprise VPN gateway deployments fronted by load balancers or reverse proxies.

Request Smuggling Information Disclosure Access Server Red Hat
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-38969 HIGH This Week

HTTP request smuggling in Ruby's WEBrick HTTP server through v1.9.2 allows remote attackers to desynchronize front-end/back-end request parsing by exploiting how WEBrick reparses a Content-Length value supplied in chunked trailers back into the canonical request state. Any deployment fronting WEBrick with a proxy, load balancer, or CDN that disagrees on message length can have requests smuggled past it, enabling request routing manipulation and information disclosure. Publicly available exploit code exists (SSVC exploitation status: poc), though EPSS remains low at 0.16% and it is not on CISA KEV.

Request Smuggling Canonical Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-11541 CRITICAL PATCH Act Now

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.

Request Smuggling IBM Information Disclosure Websphere Application Server Websphere Application Server Liberty
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-11806 HIGH This Week

Arbitrary file read in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers retrieve files from the server host when the restConnector-2.0 administrative REST feature is enabled. The flaw is classed as HTTP request smuggling (CWE-444), meaning inconsistent request parsing lets an attacker coax the server into exposing file contents it should not serve. No public exploit identified at time of analysis, and CISA SSVC records exploitation status as none; EPSS is low at 0.50% (39th percentile).

Request Smuggling IBM Information Disclosure Websphere Application Server
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-13763 HIGH POC HOSTED Monitor

WAF managed-rule body inspection on AWS Application Load Balancer (ALB) can be bypassed by remote actors who fragment an HTTP/2 request body across multiple frames so that only a partial body is inspected before reaching the backend. The flaw (CWE-444, HTTP request smuggling) affects only ALB target groups serving HTTP/2 traffic with AWS WAF enabled, and lets attackers slip malicious payloads past WAF managed rules. No public exploit identified at time of analysis and it is not on CISA KEV; AWS scores it 7.9 (CVSS 4.0) with impact falling on the protected backend rather than the ALB itself.

Request Smuggling Authentication Bypass Aws Application Load Balancer
NVD GitHub
CVSS 4.0
7.9
EPSS
0.5%
CVE-2026-13762 HIGH POC HOSTED Monitor

WAF inspection bypass in Amazon CloudFront (with AWS WAF enabled) lets remote actors smuggle malicious request bodies past managed rule inspection by fragmenting the HTTP/2 request body across frames so only a partial body is examined. The flaw (CWE-444, request smuggling) defeats the protective security control rather than CloudFront itself, allowing attacks the WAF would normally block to reach the protected origin. AWS remediated it server-side with no customer action required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Request Smuggling Authentication Bypass Amazon Cloudfront
NVD GitHub
CVSS 4.0
7.9
EPSS
0.5%
CVE-2026-58055 MEDIUM POC PATCH This Month

HTTP request/response smuggling in nghttpx (the reverse proxy component of nghttp2 through 1.69.0) allows unauthenticated remote attackers to poison shared backend keep-alive connections by crafting an HTTP/1.1 Upgrade request that simultaneously carries a Content-Length header and body. When nghttpx forwards this ambiguous message to a backend and re-adds Connection and Upgrade headers while passing Content-Length verbatim, a backend that resolves the parsing ambiguity in the attacker's favor treats the body as a separate, attacker-controlled HTTP request - enabling cross-client response-queue poisoning. A publicly available proof-of-concept exploit exists; no CISA KEV listing at time of analysis.

Request Smuggling Information Disclosure Nghttp2
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

HTTP request smuggling in Eclipse Grizzly before 5.0.2 stems from the framework's inability to correctly parse malformed trailer header lines in chunked HTTP requests, enabling CWE-444 boundary-confusion attacks. Remote unauthenticated attackers who can send crafted chunked requests through a front-end proxy to a GlassFish-backed server can cause the proxy and Grizzly to disagree on request boundaries, smuggling attacker-controlled content as the prefix of a subsequent legitimate user's request. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS 4.0 AT:P condition signals that specific deployment prerequisites must be met.

Request Smuggling Information Disclosure Eclipse Glassfish
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Request-response desynchronization in SAP Approuter lets an unauthenticated remote attacker send a specially crafted HTTP request that smuggles a second request past the front end, allowing exposure of other users' HTTP responses and denial of service against the application. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) and was reported by SAP; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SAP Request Smuggling Information Disclosure +1
NVD
CVSS 8.7
HIGH POC PATCH This Week

Authorization bypass in Zalando Skipper (<= v0.26.8) lets remote unauthenticated attackers defeat the opaAuthorizeRequestWithBody OPA filter by sending the request body with HTTP/1.1 Transfer-Encoding: chunked or HTTP/2 framing that omits content-length. Because net/http sets ContentLength = -1 for such requests, Skipper's body extractor buffers an empty body, so Rego policies that gate on input.parsed_body evaluate against an empty document, fail open, and forward the forbidden payload upstream. Publicly available exploit code exists (a full E2E Go PoC is embedded in the GHSA advisory); the flaw is not in CISA KEV and no EPSS score was provided.

Request Smuggling Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

HTTP request smuggling in OpenVPN Access Server 2.7.2 through 3.1.0 enables remote unauthenticated attackers to inject or manipulate backend requests when the Access Server is deployed behind a reverse proxy. The server incorrectly accepts bare line-feed (LF-only, without carriage return) characters inside HTTP header values, creating a parsing discrepancy between the front-end proxy and the Access Server backend - the hallmark of CWE-444. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.9 with integrity impact on both the vulnerable and subsequent systems indicates meaningful risk in typical enterprise VPN gateway deployments fronted by load balancers or reverse proxies.

Request Smuggling Information Disclosure Access Server +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

HTTP request smuggling in Ruby's WEBrick HTTP server through v1.9.2 allows remote attackers to desynchronize front-end/back-end request parsing by exploiting how WEBrick reparses a Content-Length value supplied in chunked trailers back into the canonical request state. Any deployment fronting WEBrick with a proxy, load balancer, or CDN that disagrees on message length can have requests smuggled past it, enabling request routing manipulation and information disclosure. Publicly available exploit code exists (SSVC exploitation status: poc), though EPSS remains low at 0.16% and it is not on CISA KEV.

Request Smuggling Canonical Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.

Request Smuggling IBM Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file read in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers retrieve files from the server host when the restConnector-2.0 administrative REST feature is enabled. The flaw is classed as HTTP request smuggling (CWE-444), meaning inconsistent request parsing lets an attacker coax the server into exposing file contents it should not serve. No public exploit identified at time of analysis, and CISA SSVC records exploitation status as none; EPSS is low at 0.50% (39th percentile).

Request Smuggling IBM Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.9
HIGH POC HOSTED Monitor

WAF managed-rule body inspection on AWS Application Load Balancer (ALB) can be bypassed by remote actors who fragment an HTTP/2 request body across multiple frames so that only a partial body is inspected before reaching the backend. The flaw (CWE-444, HTTP request smuggling) affects only ALB target groups serving HTTP/2 traffic with AWS WAF enabled, and lets attackers slip malicious payloads past WAF managed rules. No public exploit identified at time of analysis and it is not on CISA KEV; AWS scores it 7.9 (CVSS 4.0) with impact falling on the protected backend rather than the ALB itself.

Request Smuggling Authentication Bypass Aws Application Load Balancer
NVD GitHub
EPSS 0% CVSS 7.9
HIGH POC HOSTED Monitor

WAF inspection bypass in Amazon CloudFront (with AWS WAF enabled) lets remote actors smuggle malicious request bodies past managed rule inspection by fragmenting the HTTP/2 request body across frames so only a partial body is examined. The flaw (CWE-444, request smuggling) defeats the protective security control rather than CloudFront itself, allowing attacks the WAF would normally block to reach the protected origin. AWS remediated it server-side with no customer action required; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Request Smuggling Authentication Bypass Amazon Cloudfront
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

HTTP request/response smuggling in nghttpx (the reverse proxy component of nghttp2 through 1.69.0) allows unauthenticated remote attackers to poison shared backend keep-alive connections by crafting an HTTP/1.1 Upgrade request that simultaneously carries a Content-Length header and body. When nghttpx forwards this ambiguous message to a backend and re-adds Connection and Upgrade headers while passing Content-Length verbatim, a backend that resolves the parsing ambiguity in the attacker's favor treats the body as a separate, attacker-controlled HTTP request - enabling cross-client response-queue poisoning. A publicly available proof-of-concept exploit exists; no CISA KEV listing at time of analysis.

Request Smuggling Information Disclosure Nghttp2
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy