CVE-2026-32239 - Vulnerability Details

Description

Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, a negative Content-Length value was converted to unsigned, treating it as an impossibly large length instead. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.

Published: 2026-03-12

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Cap'n Proto’s KJ-HTTP library contains an integer overflow caused by converting a negative Content-Length header to an unsigned value, resulting in an unrealistically large length. This flaw can theoretically allow an attacker to craft HTTP requests or responses that could be mistakenly merged or split by a server, leading to HTTP request smuggling. The weakness is classified as CWE-190, CWE-444, and CWE-681.

Affected Systems

The vulnerability affects Cap'n Proto releases prior to 1.4.0. Any software that embeds the KJ-HTTP component from these versions is potentially vulnerable. The fix was introduced in version 1.4.0.

Risk and Exploitability

The CVSS base score of 6.3 indicates moderate severity. The EPSS score is below 1 %, and the issue is not listed in the CISA KEV catalog, suggesting a low likelihood of current exploitation. The attack vector would require an attacker to send malicious HTTP traffic to a target that uses the vulnerable library; this is inferred from the nature of the bug, as the description does not state a confirmed exploitation path. Overall, the risk is moderate, but actual exploitation would demand a reachable HTTP endpoint and a client capable of sending the crafted headers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

capnproto

affected

Version	Status	Constraints
`< 1.4.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:capnproto:capnproto:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Capnproto

100%

Version	Status	Scheme	Platform
`[0,1.4.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Cap'n Proto to version 1.4.0 or later.
Rebuild or redeploy applications that link against Cap'n Proto with the updated library.
Verify that no older Cap'n Proto versions remain in deployed environments.
Monitor network traffic for anomalous HTTP requests that may indicate smuggling attempts.

Generated by OpenCVE AI on March 18, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00077.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://capnproto.org/capnproto-c++-1.4.0.tar.gz
https://capnproto.org/capnproto-c++-win32-1.4.0.zip
https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36
https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0
https://github.com/capnproto/capnproto/security/advisories/GHSA-qjx3-pp3m-9jpm
https://nvd.nist.gov/vuln/detail/CVE-2026-32239
https://www.cve.org/CVERecord?id=CVE-2026-32239

History

Wed, 18 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:capnproto:capnproto::::::::
Metrics	cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}`	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Sat, 14 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-681
References		https://nvd.nist.gov/vuln/detail/CVE-2026-32239 https://www.cve.org/CVERecord?id=CVE-2026-32239
Metrics	threat_severity `None`	cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}` threat_severity `Moderate`

Fri, 13 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Capnproto Capnproto capnproto
Vendors & Products		Capnproto Capnproto capnproto

Thu, 12 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, a negative Content-Length value was converted to unsigned, treating it as an impossibly large length instead. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.
Title		Cap'n Proto has an integer overflow in KJ-HTTP
Weaknesses		CWE-190 CWE-444
References		https://capnproto.org/capnproto-c++-1.4.0.tar.gz https://capnproto.org/capnproto-c++-win32-1.4.0.zip https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36 https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0 https://github.com/capnproto/capnproto/security/advisories/GHSA-qjx3-pp3m-9jpm
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Capnproto Capnproto

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-12T19:33:25.052Z

Updated: 2026-03-13T16:15:03.051Z

Reserved: 2026-03-11T14:47:05.684Z

Link: CVE-2026-32239

Vulnrichment

Updated: 2026-03-13T16:14:59.764Z

NVD

Status : Analyzed

Published: 2026-03-12T20:16:05.010

Modified: 2026-03-18T16:55:37.693

Link: CVE-2026-32239

Redhat

Severity : Moderate

Publid Date: 2026-03-12T19:33:25Z

Links: CVE-2026-32239 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-23T09:54:53Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object