Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.
AnalysisAI
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12 mishandle HTTP/1.1 URLs with a root path (/) in unchecked req.url scenarios, enabling cache poisoning and authentication bypass attacks. Unauthenticated remote attackers can exploit this with moderate complexity to poison cached content or bypass authentication controls affecting downstream clients. No active exploitation has been confirmed, though the vulnerability carries a 5.4 CVSS score reflecting network accessibility and partial impact to confidentiality and integrity.
Technical ContextAI
Varnish Cache is an HTTP accelerator and reverse proxy that caches web content to improve performance. The vulnerability stems from improper URL handling in HTTP/1.1 request processing, specifically when the path component is set to the root path (/). CWE-180 (Incorrect Behavior of Shift and Rotation Operator) typically involves bitwise operation errors, but in this context likely indicates unsafe transformation or normalization of URL path components. When req.url is not properly validated before use in caching decisions or authentication checks, attackers can craft malicious requests with root paths that bypass security controls. The affected versions are Varnish Cache before 8.0.1 (CPE: cpe:2.3:a:varnish:varnish_cache:*:*:*:*:*:*:*:*) and Varnish Enterprise before 6.0.16r12 (CPE: cpe:2.3:a:varnish:varnish_enterprise:*:*:*:*:*:*:*:*).
RemediationAI
Upgrade Varnish Cache to version 8.0.1 or later, which includes the fix for improper HTTP/1.1 URL path handling. Varnish Enterprise users should update to 6.0.16r12 or later. For users unable to immediately patch, review and strengthen validation of req.url in Varnish Configuration Language (VCL) policies, ensuring that root path requests (/) are explicitly handled and do not bypass intended caching or authentication logic. Disable or restrict caching of authentication-sensitive responses until patched. Consult the official advisory at https://vinyl-cache.org/security/VSV00018.html for detailed configuration workarounds and patch deployment instructions.
More in Varnish Enterprise
View alllibvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory access dur
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests. Rated m
Varnish Enterprise before 6.0.13r13 allows remote attackers to obtain sensitive information via an out-of-bounds read fo
Same technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16801