Description
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.
Published: 2026-03-27
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass and cache poisoning
Action: Immediate Patch
AI Analysis

Impact

Varnish software's caching engine fails to properly normalize request URLs that contain a forward‑slash path when serving HTTP/1.1 traffic. As a result, an attacker can craft a request that causes the proxy to cache or serve content that it would normally treat as distinct to other clients. This flaw can be leveraged to inject false cache entries or to bypass authentication mechanisms that rely on cache validation, potentially allowing unauthorized access to protected content.

Affected Systems

Varnish Cache versions prior to 8.0.1 and Varnish Enterprise prior to 6.0.16r12 are affected. Only these legacy releases are at risk; newer releases are not vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.4, indicating moderate risk, and has an EPSS score of less than 1 %, suggesting a low probability of mass exploitation. It is not currently listed in the CISA KEV catalog. Exploitation requires remote delivery of a crafted HTTP/1.1 request targeting the vulnerable server, which an attacker can easily embed in malicious traffic. The impact, however, is limited to the realm of cache poisoning and authentication bypass for requests that trigger the unchecked URL handler.

Generated by OpenCVE AI on April 2, 2026 at 02:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Varnish Cache to version 8.0.1 or later or Varnish Enterprise to 6.0.16r12 or later
  • Reconfigure the caching layer to ignore or sanitize URLs with a single forward slash for HTTP/1.1 traffic

Generated by OpenCVE AI on April 2, 2026 at 02:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Varnish Cache URL Handling Leading to Cache Poisoning and Authentication Bypass Varnish Cache: Varnish Cache and Varnish Enterprise: Cache poisoning and authentication bypass via unchecked URL handling
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Moderate

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Varnish Cache URL Handling Leading to Cache Poisoning and Authentication Bypass

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.
First Time appeared Varnish-software
Varnish-software varnish Cache
Weaknesses CWE-180
CPEs cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*
Vendors & Products Varnish-software
Varnish-software varnish Cache
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Varnish-software Varnish Cache
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T20:01:11.327Z

Reserved: 2026-03-27T19:40:27.986Z

Link: CVE-2026-34475

cve-icon Vulnrichment

Updated: 2026-03-27T20:01:02.764Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T20:16:36.390

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-34475

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T19:40:28Z

Links: CVE-2026-34475 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:25Z

Weaknesses