Skip to main content

Apache EUVDEUVD-2026-11776

| CVE-2026-23941 HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-03-13 EEF
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 06, 2026 - 17:17 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 09:29 euvd
EUVD-2026-11776
Analysis Generated
Mar 13, 2026 - 09:29 vuln.today
CVE Published
Mar 13, 2026 - 09:11 nvd
HIGH 7.0

DescriptionCVE.org

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.

This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7.

The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.

This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.

AnalysisAI

A critical HTTP Request Smuggling vulnerability exists in Erlang OTP's inets httpd module that allows attackers to desynchronize front-end and back-end servers by exploiting inconsistent Content-Length header parsing. The vulnerability affects Erlang OTP versions from 17.0 through 28.4.0 (inets 5.10 through 9.6.0) and enables attackers to bypass security controls, potentially poisoning web caches or accessing unauthorized resources. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability has a CVSS 4.0 score of 7.0 and could lead to significant security boundary violations in production environments using affected Erlang-based web services.

Technical ContextAI

The vulnerability resides in the Erlang OTP inets httpd module, specifically in the httpd_request:parse_headers/7 function within lib/inets/src/http_server/httpd_request.erl. This is a classic CWE-444 (Inconsistent Interpretation of HTTP Requests) vulnerability where the Erlang HTTP server processes the first Content-Length header value while common reverse proxies like nginx, Apache httpd, and Envoy use the last value. This parsing discrepancy violates RFC 9112 Section 6.3, which mandates that duplicate Content-Length headers should result in request rejection. When an attacker sends a request with multiple Content-Length headers through a reverse proxy to an Erlang backend, the proxy and backend disagree on where the request body ends, leaving attacker-controlled bytes in the TCP stream that get interpreted as the beginning of the next request.

RemediationAI

Upgrade Erlang OTP to version 28.4.1, 27.3.4.9, or 26.2.5.18 depending on your current major version branch, which include the patched inets versions 9.6.1, 9.3.2.3, or 9.1.0.5 respectively. For systems that cannot be immediately patched, configure reverse proxies to strictly validate and normalize Content-Length headers before forwarding requests to Erlang backends, rejecting any requests with duplicate Content-Length headers. Additionally, implement request size limits and timeout controls at the proxy layer to minimize the impact of potential smuggling attempts. Monitor for unusual request patterns or unexpected request boundaries in application logs as potential indicators of exploitation attempts.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

EUVD-2026-11776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy