{"uuid": "8f6202e6-a943-4445-ba85-5b23dcab86d2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39805", "type": "seen", "source": "https://gist.github.com/alon710/536c02534caf441e3d6307e9b3c04050", "content": "# CVE-2026-39805: CVE-2026-39805: CL.CL HTTP Request Smuggling in Bandit Web Server\n\n> **CVSS Score:** 6.3\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39805\n\n## Summary\nThe Bandit HTTP server for Elixir versions prior to 1.11.0 fails to correctly process requests containing multiple Content-Length headers. This inconsistent interpretation creates a CL.CL HTTP request smuggling vulnerability when Bandit is deployed behind a reverse proxy that parses the headers differently. Attackers exploit this desynchronization to smuggle secondary HTTP requests past edge security controls.\n\n## TL;DR\nBandit < 1.11.0 accepts duplicate Content-Length headers and processes only the first one, violating RFC 9112. When deployed behind certain reverse proxies, this allows attackers to smuggle hidden HTTP requests to bypass frontend access controls.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-444\n- **Attack Vector**: Network\n- **CVSS v4.0**: 6.3\n- **EPSS Score**: 0.00017 (4.03%)\n- **Impact**: Security Control Bypass\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Bandit (Elixir HTTP Server) < 1.11.0\n- **bandit**: < 1.11.0 (Fixed in: `1.11.0`)\n\n## Mitigation\n\n- Upgrade Bandit web server to version 1.11.0\n- Configure frontend proxies to reject requests with multiple Content-Length headers\n- Deploy WAF rules to detect and block malformed HTTP requests\n\n**Remediation Steps:**\n1. Modify mix.exs to require bandit version >= 1.11.0\n2. Run mix deps.get to update the application dependencies\n3. Recompile the application and deploy to the target environment\n4. Validate frontend proxy configurations to ensure strict RFC 9112 compliance\n\n## References\n\n- [GHSA-c67r-gc9j-2qf7 Security Advisory](https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7)\n- [Erlang Ecosystem Foundation CNA Notice](https://cna.erlef.org/cves/CVE-2026-39805.html)\n- [Bandit Fix Commit f2ca636eb6df385219957e8934e9fc6efa1630d1](https://github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1)\n- [OSV Entry for EEF-CVE-2026-39805](https://osv.dev/vulnerability/EEF-CVE-2026-39805)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39805) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-07T05:10:29.000000Z"}