Description
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.
Published: 2026-03-27
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cache poisoning or authentication bypass
Action: Apply Patch
AI Analysis

Impact

Varnish Cache before version 8.0.1 and Varnish Enterprise before 6.0.16r12 contain a flaw where certain unchecked request URL conditions mishandle URLs with a path of '/' when using HTTP/1.1. This mishandling can lead to cache poisoning or an authentication bypass, allowing attackers to inject malicious content into the cache or gain unauthorized access to backend resources.

Affected Systems

The vulnerability affects Varnish Software's Varnish Cache and Varnish Enterprise. Affected releases are all Varnish Cache versions earlier than 8.0.1 and all Varnish Enterprise versions earlier than 6.0.16r12.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote network; an attacker can target the Varnish instance by sending a specially crafted HTTP/1.1 request with a '/' path to the affected service.

Generated by OpenCVE AI on March 27, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Varnish Cache to version 8.0.1 or later and Varnish Enterprise to version 6.0.16r12 or later.
  • Adjust Varnish configuration to reject or properly validate URLs with a '/' path under HTTP/1.1 if immediate upgrade is not possible.
  • Monitor logs for signs of cache poisoning or unauthorized authentication attempts.

Generated by OpenCVE AI on March 27, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Varnish Cache URL Handling Leading to Cache Poisoning and Authentication Bypass

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.
First Time appeared Varnish-software
Varnish-software varnish Cache
Weaknesses CWE-180
CPEs cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*
Vendors & Products Varnish-software
Varnish-software varnish Cache
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Varnish-software Varnish Cache
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T20:01:11.327Z

Reserved: 2026-03-27T19:40:27.986Z

Link: CVE-2026-34475

cve-icon Vulnrichment

Updated: 2026-03-27T20:01:02.764Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T20:16:36.390

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-34475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:00:38Z

Weaknesses