Description
A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.
Published: 2026-06-11
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A parsing flaw in Kong's HTTP request processing pipeline allows an attacker to smuggle requests and cause desynchronization when handling untrusted HTTP/1.1 traffic. This can lead to manipulations such as request forging, data leakage or denial of service, compromising the confidentiality and integrity of traffic passing through the gateway.

Affected Systems

Kong Enterprise Gateway, versions 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14. All affected series are impacted by the flaw.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.9, indicating moderate severity, and no EPSS score is available. It is not listed in CISA's KEV catalog. The likely attack vector is crafting malicious HTTP/1.1 requests to the gateway, exploiting the parsing defect in a network-facing scenario. No privileged access is required beyond the ability to send traffic to the affected gateway.

Generated by OpenCVE AI on June 11, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kong Enterprise Gateway to a fixed release that addresses CVE-2026-6338, following the vendor’s patching guide.
  • If an upgrade cannot be performed immediately, block or filter untrusted HTTP/1.1 traffic at the network perimeter or upstream reverse proxy to prevent smuggling attempts.
  • Configure Kong to enforce strict HTTP header validation or consider disabling HTTP/1.1 and using HTTP/2 only if the application can tolerate it.

Generated by OpenCVE AI on June 11, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.
Title HTTP request smuggling in Kong Enteprise Gateway
Weaknesses CWE-444
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/R:A/RE:M'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Kong

Published:

Updated: 2026-06-11T14:23:21.941Z

Reserved: 2026-04-15T10:07:35.856Z

Link: CVE-2026-6338

cve-icon Vulnrichment

Updated: 2026-06-11T14:23:17.549Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T14:16:32.553

Modified: 2026-06-11T15:32:52.983

Link: CVE-2026-6338

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T20:45:10Z

Weaknesses
  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')