Description
Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers.

'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error.

When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.

This issue affects bandit: before 1.11.0.
Published: 2026-05-01
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Bandit HTTP server incorrectly handles requests that contain two Content-Length headers with different values. Internally it uses a key‑find function that returns only the first header, so it reads the request body based on that first value. Bytes following the body are interpreted as a second pipelined request on the same keep‑alive connection, contrary to RFC 9112 §6.3 which requires treating such a violation as an unrecoverable framing error. When Bandit sits behind a proxy that forwards the last Content-Length header instead of rejecting the request, an attacker can smuggle a second request past application‑level controls such as WAFs, ACLs, rate limiting and audit logging.

Affected Systems

The vulnerability affects the Bandit web server from the mtrudel vendor. Any installation built from the source code prior to version 1.11.0 is susceptible, regardless of deployment configuration.

Risk and Exploitability

The CVSS base score of 6.3 indicates medium severity, the EPSS score is not available, and the flaw is not listed in CISA KEV. Exploitation requires an attacker to craft a request containing duplicate Content-Length headers and to rely on an upstream proxy or load balancer that forwards the request unchanged. If such a proxy exists, the attacker can smuggle a second request through perimeter defenses, potentially compromising application logic or revealing logs.

Generated by OpenCVE AI on May 2, 2026 at 10:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Bandit 1.11.0 or later to correct duplicate Content‑Length handling.
  • Configure any upstream proxy, load balancer, or gateway to reject or normalize requests that contain duplicate Content‑Length headers instead of passing them unchanged.
  • Implement WAF or firewall rules that detect request smuggling patterns, such as unexpected request sizes or additional payloads following the body.

Generated by OpenCVE AI on May 2, 2026 at 10:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers. 'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error. When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging. This issue affects bandit: before 1.11.0.
Title CL.CL HTTP request smuggling via duplicate Content-Length in bandit
First Time appeared Mtrudel
Mtrudel bandit
Weaknesses CWE-444
CPEs cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*
Vendors & Products Mtrudel
Mtrudel bandit
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mtrudel Bandit
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-02T04:17:41.202Z

Reserved: 2026-04-07T12:28:54.916Z

Link: CVE-2026-39805

cve-icon Vulnrichment

Updated: 2026-05-02T01:21:06.449Z

cve-icon NVD

Status : Received

Published: 2026-05-01T21:16:17.037

Modified: 2026-05-02T02:16:00.180

Link: CVE-2026-39805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:15:16Z

Weaknesses