CVE-2026-26365 - Vulnerability Details

- Incorrect Processing of Custom Hop‑by‑Hop HTTP Headers in Akamai Ghost Leading to Request Smuggling

Description

Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling.

Published: 2026-02-23

Score: 4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Akamai Ghost on CDN edge servers mishandles custom hop‑by‑hop HTTP headers. When an incoming request contains the header "Connection: Transfer-Encoding", the server may forward a request with invalid message framing, which can allow an attacker to smuggle requests into the origin server. The flaw is a weakness in HTTP message handling, listed as CWE‑444, and can lead to misinterpretation of request bodies, potentially enabling data tampering or injection of hidden requests.

Affected Systems

The vulnerability affects Akamai Ghost CDN edge servers deployed before the February 6, 2026 release. No specific version numbers are provided, but any instances running the pre‑February 2026 firmware are susceptible. The issue is tied to the handling of hop‑by‑hop headers at the edge tier, which then passes malformed framing to back‑end origins.

Risk and Exploitability

The CVSS base score of 4.0 indicates moderate impact. EPSS is below 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a remote attacker crafting HTTP traffic to a publicly reachable edge server with the malformed header. Successful exploitation would result in the origin server parsing the request body incorrectly, enabling a request smuggling attack. No confirmed exploits are reported, but the presence of the flaw warrants monitoring and timely remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Akamai

Ghost

unaffected

Version	Status	Constraints
`0`	affected	< 2026-02-06

No data.

Vendor Product Confidence Versions

Akamai

Ghost

100%

Version	Status	Scheme	Platform
`[0,2026-02-06)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Akamai Ghost edge servers to the February 6, 2026 release or later, which addresses the hop‑by‑hop header handling flaw.
Apply any configuration changes recommended by Akamai, such as disabling propagation of custom hop‑by‑hop headers or normalizing the "Connection" and "Transfer-Encoding" headers before forwarding.
Configure network perimeter devices or a WAF to strip or reject requests containing the "Connection: Transfer-Encoding" header in order to prevent unintended framing from reaching the origin.
Continuously monitor access and origin logs for signs of malformed request framing or duplicate headers that might indicate an ongoing smuggling attempt.

Generated by OpenCVE AI on April 17, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.akamai.com/blog/security-research/cve-2026-26365-incorrect-processing-connection-transfer-encoding

History

Fri, 17 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title		Incorrect Processing of Custom Hop‑by‑Hop HTTP Headers in Akamai Ghost Leading to Request Smuggling

Mon, 23 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Akamai Akamai ghost
Vendors & Products		Akamai Akamai ghost

Mon, 23 Feb 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling.
Weaknesses		CWE-444
References		https://www.akamai.com/blog/security-research/cve-2026-26365-incorrect-processing-connection-transfer-encoding
Metrics		cvssV3_1 `{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N'}`

Subscriptions

Akamai Ghost

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-02-23T00:00:00.000Z

Updated: 2026-02-23T20:58:59.805Z

Reserved: 2026-02-13T00:00:00.000Z

Link: CVE-2026-26365

Vulnrichment

Updated: 2026-02-23T20:58:52.828Z

NVD

Status : Deferred

Published: 2026-02-23T09:17:01.210

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26365

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T16:30:05Z

Weaknesses

CWE-444

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object