Description
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync
attack (request smuggling), which in turn can be used for cache poisoning,
authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the
feature parameter to contain +http2. HTTP/2 support is disabled by
default.
Published: 2026-06-03
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the HTTP/2 request parsing logic of Vinyl Cache and Varnish Cache versions older than 9.0.1 and 9.0.3, respectively. It allows an attacker to craft malformed headers that are interpreted differently by the server and the upstream backend, creating a backend request desynchronization (request smuggling) vector. This can be leveraged to poison the cache, bypass authentication, or potentially disclose or manipulate sensitive information. The weakness is a classic instance of CWE‑444, where unsafe parsing of protocol parameters leads to disordered request handling.

Affected Systems

Affected products include The Vinyl Cache Project’s Varnish Cache (pre split) and Vinyl Cache, and Varnish Software’s Varnish Cache. The vulnerability exists in all releases before Vinyl Cache 9.0.1 and before Varnish Cache 9.0.3. Importantly, the attack vector is active only when HTTP/2 support is enabled for the instance, which is disabled by default.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Because the flaw can only be exploited with HTTP/2 enabled, the immediate risk to systems that have left this feature disabled is low; however, any operational deployment enabling HTTP/2 presents a potential for a severe backend desync attack if a public exploit materializes.

Generated by OpenCVE AI on June 3, 2026 at 13:24 UTC.

Remediation

Vendor Solution

Update to fix version

Vendor Workaround

Disable HTTP/2The vulnerability can only be exploited if HTTP/2 support is enabled. Where it is, it can be disabled * at runtime by issuing vinyladm param.set feature -http2 * persistently by removing -p feature=+http2 from the vinyld startup parameters Note that HTTP/2 typically requires a TLS offloader, which must be changed to no longer send the h2 ALPN. For example with haproxy, in the listen/bind configuration directive, alpn h2,http/1.1 should be replaced with alpn http/1.1.

OpenCVE Recommended Actions

  • Upgrade Vinyl Cache to version 9.0.1 or newer, or upgrade Varnish Cache to version 9.0.3 or newer, which contain the patch for this HTTP/2 parsing defect.
  • Disable HTTP/2 if an upgrade is not possible: for Vinyl Cache run `vinyladm param.set feature -http2` at runtime or remove the `+http2` flag from the startup parameters; for Varnish Cache remove the `-p feature=+http2` option from the varnishd command line.
  • For installations that cannot disable HTTP/2, apply the VCL mitigation snippet provided in the advisory (e.g., the vsv19 code) or enable inline‑C (`+allow_inline_c`) and add the accompanying VCL, ensuring that `bereq.http.Connection` is not unset elsewhere.

Generated by OpenCVE AI on June 3, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Title HTTP/2 Request Parsing Flaw Enabling Backend Desync Attack in Vinyl Cache and Varnish Cache

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.
Weaknesses CWE-444
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Green'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T13:27:33.193Z

Reserved: 2026-06-03T03:56:01.075Z

Link: CVE-2026-50052

cve-icon Vulnrichment

Updated: 2026-06-03T13:27:24.624Z

cve-icon NVD

Status : Received

Published: 2026-06-03T06:16:35.390

Modified: 2026-06-03T06:16:35.390

Link: CVE-2026-50052

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T13:30:26Z

Weaknesses