Description
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.
Published: 2026-04-13
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Request smuggling through HTTP/3 parsing flaw
Action: Patch Now
AI Analysis

Impact

A flaw in HAProxy’s HTTP/3 parser fails to verify that the body length announced by the content-length header matches the actual payload length when a stream ends with an empty frame. The mismatch can desynchronize the communication between the proxy and its backend, potentially allowing an attacker to smuggle requests or manipulate request contents. This type of vulnerability is a classic example of data misinterpretation, identified here as CWE‑130.

Affected Systems

All HAProxy installations running any version from 2.6 up to, but not including, 3.3.6 are affected. The problem is confined to the HTTP/3 implementation; systems that do not expose an HTTP/3 receptor to clients are not at risk through this flaw.

Risk and Exploitability

The CVSS score of 4.0 indicates moderate severity, and the absence of an EPSS value means the exact exploit probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploitation yet. Based on the description, it is inferred that an adversary would need network access to the HAProxy instance’s HTTP/3 interface and the ability to send tailored HTTP/3 frames that terminate a stream with zero payload.

Generated by OpenCVE AI on April 13, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HAProxy to version 3.3.6 or newer

Generated by OpenCVE AI on April 13, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title haproxy: HAProxy: Request smuggling via HTTP/3 parser desynchronization
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.
First Time appeared Haproxy
Haproxy haproxy
Weaknesses CWE-130
CPEs cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*
Vendors & Products Haproxy
Haproxy haproxy
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Haproxy Haproxy
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-22T18:43:17.553Z

Reserved: 2026-03-22T00:00:00.000Z

Link: CVE-2026-33555

cve-icon Vulnrichment

Updated: 2026-04-14T13:22:34.930Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T17:16:28.237

Modified: 2026-04-22T19:17:02.273

Link: CVE-2026-33555

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-33555 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:35:44Z

Weaknesses