Vulnerability-Lookup

CVE-2026-2833 (GCVE-0-2026-2833)

Vulnerability from cvelistv5 – Published: 2026-03-04 23:20 – Updated: 2026-03-06 18:26

Title

HTTP Request Smuggling via Premature Upgrade

Summary

An HTTP request smuggling vulnerability (CWE-444) was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking. Impact This vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to: * Bypass proxy-level ACL controls and WAF logic * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP Cloudflare's CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode. Mitigation: Pingora users should upgrade to Pingora v0.8.0 or higher As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.

Severity ?

9.3 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

cloudflare

References

URL

Tags

https://github.com/cloudflare/pingora

Impacted products

	Vendor	Product	Version
	Cloudflare	https://github.com/cloudflare/pingora	Affected: 0 , < 0.8.0 (semver)

Credits

Rajat Raghav (xclow3n)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2833",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T18:25:53.691901Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T18:26:03.825Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "https://github.com/cloudflare/pingora",
          "repo": "https://github.com/cloudflare/pingora",
          "vendor": "Cloudflare",
          "versions": [
            {
              "lessThan": "0.8.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Rajat Raghav (xclow3n)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: transparent;\"\u003eAn HTTP request smuggling vulnerability (CWE-444) was found in Pingora\u0027s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eImpact\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eBypass proxy-level ACL controls and WAF logic\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePoison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePerform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eMitigation:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePingora users should upgrade to Pingora v0.8.0 or higher\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cb\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "An HTTP request smuggling vulnerability (CWE-444) was found in Pingora\u0027s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.\n\nImpact\n\nThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:\n\n  *  Bypass proxy-level ACL controls and WAF logic\n\n\n\n\n  *  Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\n\n\n\n\n  *  Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\n\n\n\n\nCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\n\n\nMitigation:\n\nPingora users should upgrade to Pingora v0.8.0 or higher\n\n\nAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-04T23:20:51.985Z",
        "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "shortName": "cloudflare"
      },
      "references": [
        {
          "url": "https://github.com/cloudflare/pingora"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Pingora users should upgrade to Pingora v0.8.0 or higher\u003cbr\u003e"
            }
          ],
          "value": "Pingora users should upgrade to Pingora v0.8.0 or higher"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HTTP Request Smuggling via Premature Upgrade",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\u003cbr\u003e"
            }
          ],
          "value": "As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
    "assignerShortName": "cloudflare",
    "cveId": "CVE-2026-2833",
    "datePublished": "2026-03-04T23:20:51.985Z",
    "dateReserved": "2026-02-19T21:02:12.382Z",
    "dateUpdated": "2026-03-06T18:26:03.825Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-2833\",\"sourceIdentifier\":\"cna@cloudflare.com\",\"published\":\"2026-03-05T00:15:57.650\",\"lastModified\":\"2026-03-12T15:08:03.153\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An HTTP request smuggling vulnerability (CWE-444) was found in Pingora\u0027s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.\\n\\nImpact\\n\\nThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:\\n\\n  *  Bypass proxy-level ACL controls and WAF logic\\n\\n\\n\\n\\n  *  Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\\n\\n\\n\\n\\n  *  Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\\n\\n\\n\\n\\nCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\\n\\n\\nMitigation:\\n\\nPingora users should upgrade to Pingora v0.8.0 or higher\\n\\n\\nAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una vulnerabilidad de contrabando de solicitudes HTTP (CWE-444) en el manejo de Pingora de las actualizaciones de conexi\u00f3n HTTP/1.1. El problema ocurre cuando un proxy de Pingora lee una solicitud que contiene un encabezado Upgrade, haciendo que el proxy pase el resto de los bytes de la conexi\u00f3n a un backend antes de que el backend haya aceptado la actualizaci\u00f3n. Un atacante puede as\u00ed reenviar directamente una carga \u00fatil maliciosa despu\u00e9s de una solicitud con un encabezado Upgrade a ese backend de una manera que puede ser interpretada como un encabezado de solicitud subsiguiente, eludiendo los controles de seguridad a nivel de proxy y permitiendo el secuestro de sesi\u00f3n entre usuarios.\\n\\nImpacto\\n\\nEsta vulnerabilidad afecta principalmente a implementaciones de Pingora independientes donde un proxy de Pingora est\u00e1 expuesto al tr\u00e1fico externo. Un atacante podr\u00eda explotar esto para:\\n\\n  *  Eludir los controles ACL a nivel de proxy y la l\u00f3gica WAF\\n\\n  *  Envenenar cach\u00e9s y conexiones ascendentes, haciendo que las solicitudes subsiguientes de usuarios leg\u00edtimos reciban respuestas destinadas a solicitudes de contrabando\\n\\n  *  Realizar ataques entre usuarios secuestrando sesiones o contrabandeando solicitudes que parecen originarse de la IP del proxy de confianza\\n\\nLa infraestructura CDN de Cloudflare no se vio afectada por esta vulnerabilidad, ya que los proxies de entrada en la pila CDN mantienen l\u00edmites de an\u00e1lisis HTTP adecuados y no cambian prematuramente al modo de reenv\u00edo de conexi\u00f3n actualizada.\\n\\nMitigaci\u00f3n:\\n\\nLos usuarios de Pingora deber\u00edan actualizar a Pingora v0.8.0 o superior\\n\\nComo soluci\u00f3n alternativa, los usuarios pueden devolver un error en solicitudes con el encabezado Upgrade presente en su l\u00f3gica de filtro de solicitudes para detener el procesamiento de bytes m\u00e1s all\u00e1 del encabezado de la solicitud y deshabilitar la reutilizaci\u00f3n de la conexi\u00f3n descendente.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@cloudflare.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"cna@cloudflare.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cloudflare:pingora:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.8.0\",\"matchCriteriaId\":\"7FD8B659-5061-46DA-8A73-2E17D6298546\"}]}]}],\"references\":[{\"url\":\"https://github.com/cloudflare/pingora\",\"source\":\"cna@cloudflare.com\",\"tags\":[\"Product\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2833\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T18:25:53.691901Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T18:25:58.644Z\"}}], \"cna\": {\"title\": \"HTTP Request Smuggling via Premature Upgrade\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Rajat Raghav (xclow3n)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/cloudflare/pingora\", \"vendor\": \"Cloudflare\", \"product\": \"https://github.com/cloudflare/pingora\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.8.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Pingora users should upgrade to Pingora v0.8.0 or higher\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Pingora users should upgrade to Pingora v0.8.0 or higher\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://github.com/cloudflare/pingora\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An HTTP request smuggling vulnerability (CWE-444) was found in Pingora\u0027s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.\\n\\nImpact\\n\\nThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:\\n\\n  *  Bypass proxy-level ACL controls and WAF logic\\n\\n\\n\\n\\n  *  Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\\n\\n\\n\\n\\n  *  Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\\n\\n\\n\\n\\nCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\\n\\n\\nMitigation:\\n\\nPingora users should upgrade to Pingora v0.8.0 or higher\\n\\n\\nAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: transparent;\\\"\u003eAn HTTP request smuggling vulnerability (CWE-444) was found in Pingora\u0027s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003eImpact\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003eThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003eBypass proxy-level ACL controls and WAF logic\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003ePoison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003ePerform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003eCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003eMitigation:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003ePingora users should upgrade to Pingora v0.8.0 or higher\u003c/span\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cb\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003eAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\u003c/span\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-444\", \"description\": \"CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a22f1246-ba21-4bb4-a601-ad51614c1513\", \"shortName\": \"cloudflare\", \"dateUpdated\": \"2026-03-04T23:20:51.985Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-2833\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T18:26:03.825Z\", \"dateReserved\": \"2026-02-19T21:02:12.382Z\", \"assignerOrgId\": \"a22f1246-ba21-4bb4-a601-ad51614c1513\", \"datePublished\": \"2026-03-04T23:20:51.985Z\", \"assignerShortName\": \"cloudflare\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-2833

Vulnerability from fkie_nvd - Published: 2026-03-05 00:15 - Updated: 2026-03-12 15:08

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	cna@cloudflare.com	https://github.com/cloudflare/pingora	Product

Impacted products

	Vendor	Product	Version
	cloudflare	pingora	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cloudflare:pingora:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7FD8B659-5061-46DA-8A73-2E17D6298546",
              "versionEndExcluding": "0.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An HTTP request smuggling vulnerability (CWE-444) was found in Pingora\u0027s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.\n\nImpact\n\nThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:\n\n  *  Bypass proxy-level ACL controls and WAF logic\n\n\n\n\n  *  Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\n\n\n\n\n  *  Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\n\n\n\n\nCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\n\n\nMitigation:\n\nPingora users should upgrade to Pingora v0.8.0 or higher\n\n\nAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad de contrabando de solicitudes HTTP (CWE-444) en el manejo de Pingora de las actualizaciones de conexi\u00f3n HTTP/1.1. El problema ocurre cuando un proxy de Pingora lee una solicitud que contiene un encabezado Upgrade, haciendo que el proxy pase el resto de los bytes de la conexi\u00f3n a un backend antes de que el backend haya aceptado la actualizaci\u00f3n. Un atacante puede as\u00ed reenviar directamente una carga \u00fatil maliciosa despu\u00e9s de una solicitud con un encabezado Upgrade a ese backend de una manera que puede ser interpretada como un encabezado de solicitud subsiguiente, eludiendo los controles de seguridad a nivel de proxy y permitiendo el secuestro de sesi\u00f3n entre usuarios.\n\nImpacto\n\nEsta vulnerabilidad afecta principalmente a implementaciones de Pingora independientes donde un proxy de Pingora est\u00e1 expuesto al tr\u00e1fico externo. Un atacante podr\u00eda explotar esto para:\n\n  *  Eludir los controles ACL a nivel de proxy y la l\u00f3gica WAF\n\n  *  Envenenar cach\u00e9s y conexiones ascendentes, haciendo que las solicitudes subsiguientes de usuarios leg\u00edtimos reciban respuestas destinadas a solicitudes de contrabando\n\n  *  Realizar ataques entre usuarios secuestrando sesiones o contrabandeando solicitudes que parecen originarse de la IP del proxy de confianza\n\nLa infraestructura CDN de Cloudflare no se vio afectada por esta vulnerabilidad, ya que los proxies de entrada en la pila CDN mantienen l\u00edmites de an\u00e1lisis HTTP adecuados y no cambian prematuramente al modo de reenv\u00edo de conexi\u00f3n actualizada.\n\nMitigaci\u00f3n:\n\nLos usuarios de Pingora deber\u00edan actualizar a Pingora v0.8.0 o superior\n\nComo soluci\u00f3n alternativa, los usuarios pueden devolver un error en solicitudes con el encabezado Upgrade presente en su l\u00f3gica de filtro de solicitudes para detener el procesamiento de bytes m\u00e1s all\u00e1 del encabezado de la solicitud y deshabilitar la reutilizaci\u00f3n de la conexi\u00f3n descendente."
    }
  ],
  "id": "CVE-2026-2833",
  "lastModified": "2026-03-12T15:08:03.153",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cna@cloudflare.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-05T00:15:57.650",
  "references": [
    {
      "source": "cna@cloudflare.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/cloudflare/pingora"
    }
  ],
  "sourceIdentifier": "cna@cloudflare.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-444"
        }
      ],
      "source": "cna@cloudflare.com",
      "type": "Secondary"
    }
  ]
}

GHSA-F9V3-J2M7-4HPG

Vulnerability from github – Published: 2026-03-05 00:31 – Updated: 2026-03-05 20:54

Summary

Duplicate Advisory: HTTP Request Smuggling via Premature Upgrade

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-xq2h-p299-vjwv. This link is maintained to preserve external references.

Original Description

Impact

This vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:

Bypass proxy-level ACL controls and WAF logic
Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests
Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP

Cloudflare's CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.

Mitigation:

Pingora users should upgrade to Pingora v0.8.0 or higher

As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.

Severity ?

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "pingora-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T20:54:59Z",
    "nvd_published_at": "2026-03-05T00:15:57Z",
    "severity": "CRITICAL"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xq2h-p299-vjwv. This link is maintained to preserve external references.\n\n### Original Description\nAn HTTP request smuggling vulnerability (CWE-444) was found in Pingora\u0027s handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.\n\nImpact\n\nThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:\n\n  *  Bypass proxy-level ACL controls and WAF logic\n\n\n\n\n  *  Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests\n\n\n\n\n  *  Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP\n\n\n\n\nCloudflare\u0027s CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\n\n\nMitigation:\n\nPingora users should upgrade to Pingora v0.8.0 or higher\n\n\nAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.",
  "id": "GHSA-f9v3-j2m7-4hpg",
  "modified": "2026-03-05T20:54:59Z",
  "published": "2026-03-05T00:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2833"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/pingora"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0033.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: HTTP Request Smuggling via Premature Upgrade",
  "withdrawn": "2026-03-05T20:54:59Z"
}

GHSA-XQ2H-P299-VJWV

Vulnerability from github – Published: 2026-03-05 20:55 – Updated: 2026-03-09 20:45

Summary

Pingora vulnerable to HTTP Request Smuggling via Premature Upgrade

Details

Impact

Pingora versions prior to 0.8.0 would immediately forward bytes following a request with an Upgrade header to the backend, without waiting for a 101 Switching Protocols response. This allows an attacker to smuggle requests to the backend and bypass proxy-level security controls.

This vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to bypass proxy-level ACL controls and WAF logic, poison caches and upstream connections, or perform cross-user attacks by hijacking sessions.

Note: Cloudflare customers and Cloudflare's CDN infrastructure were not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.

Patches

Pingora users should upgrade to Pingora v0.8.0 or higher, which fixes this issue by only switching connection modes after receiving a 101 Switching Protocols response from the backend (hash 824bdeefc61e121cc8861de1b35e8e8f39026ecd). Without a 101 response, subsequent bytes continue to be parsed as HTTP requests.

Workarounds

References

See CVE-2026-2833 and the Cloudflare blog post for more details.

Credits

Disclosed responsibly by Rajat Raghav (@xclow3n) through the Cloudflare Bug Bounty Program.

Severity ?

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.7.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "pingora-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T20:55:29Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nPingora versions prior to 0.8.0 would immediately forward bytes following a request with an Upgrade header to the backend, without waiting for a 101 Switching Protocols response. This allows an attacker to smuggle requests to the backend and bypass proxy-level security controls.\n\nThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to bypass proxy-level ACL controls and WAF logic, poison caches and upstream connections, or perform cross-user attacks by hijacking sessions.\n\nNote: Cloudflare customers and Cloudflare\u0027s CDN infrastructure were not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.\n\n### Patches\nPingora users should upgrade to Pingora v0.8.0 or higher, which fixes this issue by only switching connection modes after receiving a 101 Switching Protocols response from the backend (hash 824bdeefc61e121cc8861de1b35e8e8f39026ecd). Without a 101 response, subsequent bytes continue to be parsed as HTTP requests.\n\n### Workarounds\nAs a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.\n\n### References\nSee [CVE-2026-2833](https://www.cve.org/cverecord?id=CVE-2026-2833) and the [Cloudflare blog post](https://blog.cloudflare.com/pingora-oss-smuggling-vulnerabilities/) for more details.\n\n### Credits\nDisclosed responsibly by Rajat Raghav (@xclow3n) through the Cloudflare [Bug Bounty Program](https://www.cloudflare.com/disclosure/).",
  "id": "GHSA-xq2h-p299-vjwv",
  "modified": "2026-03-09T20:45:48Z",
  "published": "2026-03-05T20:55:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/pingora/security/advisories/GHSA-xq2h-p299-vjwv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2833"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudflare/pingora"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0033.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pingora vulnerable to HTTP Request Smuggling via Premature Upgrade"
}

CVE-2026-2833

Vulnerability from osv_rustsec

Published

2026-03-04 12:00

Modified

2026-03-09 20:53

Summary

HTTP Request Smuggling via Premature Upgrade

Details

This flaw was corrected in commit 824bdeefc61e121cc8861de1b35e8e8f39026ecd by only switching connection modes after receiving a 101 response from the backend. Users should upgrade to Pingora >= 0.8.0.

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "pingora-core",
        "purl": "pkg:cargo/pingora-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.8.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2026-2833",
    "GHSA-xq2h-p299-vjwv"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Pingora versions prior to 0.8.0 would immediately forward bytes following a request with an Upgrade header to the backend, without waiting for a 101 Switching Protocols response. This allows an attacker to smuggle requests to the backend and bypass proxy-level security controls.\n\nThis vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to bypass proxy-level ACL controls and WAF logic, poison caches and upstream connections, or perform cross-user attacks by hijacking sessions.\n\nThis flaw was corrected in commit 824bdeefc61e121cc8861de1b35e8e8f39026ecd by only switching connection modes after receiving a 101 response from the backend. Users should upgrade to Pingora \u003e= 0.8.0.\n\nNote: Cloudflare customers and Cloudflare\u0027s CDN infrastructure were not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.",
  "id": "RUSTSEC-2026-0033",
  "modified": "2026-03-09T20:53:55Z",
  "published": "2026-03-04T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/pingora-core"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0033.html"
    },
    {
      "type": "WEB",
      "url": "https://blog.cloudflare.com/pingora-oss-smuggling-vulnerabilities/"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2833"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "HTTP Request Smuggling via Premature Upgrade"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-2833 (GCVE-0-2026-2833)

FKIE_CVE-2026-2833

GHSA-F9V3-J2M7-4HPG

Duplicate Advisory

Original Description

GHSA-XQ2H-P299-VJWV

Impact

Patches

Workarounds

References

Credits

CVE-2026-2833

Vulnerability from osv_rustsec

Tags

Sightings

Nomenclature