Description
An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora’s request framing from backend servers’.

Impact

This vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to:

* Bypass proxy-level ACL controls and WAF logic




* Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests




* Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP




Cloudflare's CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests.


Mitigation:

Pingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited.

As a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact “chunked” string match.
Published: 2026-03-04
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: HTTP Request Smuggling Bypass
Action: Immediate Patch
AI Analysis

Impact

An HTTP Request Smuggling vulnerability (CWE-444) exists in Pingora's handling of HTTP/1.0 requests and Transfer‑Encoding headers. By exploiting the parser’s acceptance of close‑delimited HTTP/1.0 bodies and its improper treatment of multiple Transfer‑Encoding values, an attacker can craft requests that desynchronize Pingora’s framing from the backend. This flaw allows the attacker to bypass proxy‑level ACLs and WAF logic, poison upstream caches and connections, and perform cross‑user attacks that misuse the trusted proxy IP to hijack sessions or inject requests that appear to originate from the proxy. The impact is a compromise of confidentiality, integrity, and availability of the backends serviced by Pingora.

Affected Systems

The flaw affects standalone Pingora instances deployed in front of backends that accept HTTP/1.0 requests. Cloudflare’s own CDN ingress layers were not affected because they exposed only HTTP/1.1 traffic and rejected ambiguous framing. Attackers would require direct access to a vulnerable Pingora deployment or to a backend that accepts HTTP/1.0.

Risk and Exploitability

The vulnerability carries a CVSS base score of 9.3, indicating critical severity. The EPSS score is reported as less than 1%, suggesting a low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Nevertheless, the attack vector is remote and straightforward: an attacker sends a crafted HTTP/1.0 or multi‑Transfer‑Encoding request to the Pingora proxy. If the proxy forwards the request, the attacker can bypass controls, cache poisoning, or session hijacking, depending on the backend configuration.

Generated by OpenCVE AI on April 17, 2026 at 13:00 UTC.

Remediation

Vendor Solution

Pingora users should upgrade to Pingora v0.8.0 or higher

Vendor Workaround

As a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact “chunked” string match.

OpenCVE Recommended Actions

  • Upgrade Pingora to v0.8.0 or later, which corrects request parsing according to RFC 9112 and enforces strict Transfer‑Encoding handling.
  • If upgrading is not immediately possible, configure the request filter to reject any non‑HTTP/1.1 request, any request with an invalid Content‑Length header, any request carrying multiple Transfer‑Encoding headers, or any Transfer‑Encoding header that is not exactly "chunked".
  • Disable downstream connection reuse to prevent poisoned connections from affecting subsequent legitimate requests.

Generated by OpenCVE AI on April 17, 2026 at 13:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hj7x-879w-vrp7 Pingora has HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing
References
Link Providers
https://github.com/cloudflare/pingora cve-icon cve-icon
History

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cloudflare:pingora:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cloudflare
Cloudflare pingora
Vendors & Products Cloudflare
Cloudflare pingora

Wed, 04 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora’s request framing from backend servers’. Impact This vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to: * Bypass proxy-level ACL controls and WAF logic * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP Cloudflare's CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests. Mitigation: Pingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited. As a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact “chunked” string match.
Title HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing
Weaknesses CWE-444
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Cloudflare Pingora
cve-icon MITRE

Status: PUBLISHED

Assigner: cloudflare

Published:

Updated: 2026-03-06T18:24:48.150Z

Reserved: 2026-02-19T21:24:24.726Z

Link: CVE-2026-2835

cve-icon Vulnrichment

Updated: 2026-03-06T18:24:43.100Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T00:15:57.860

Modified: 2026-03-12T15:06:16.957

Link: CVE-2026-2835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:12Z

Weaknesses