CVE-2026-1760
Unknown Unknown - Not Provided
HTTP Request Smuggling in SoupServer Causes Potential DoS

Publication date: 2026-02-02

Last updated on: 2026-03-19

Assigner: Red Hat, Inc.

Description
A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests, causing SoupServer to fail to close the connection as required by RFC 9112. This allows the attacker to smuggle additional requests over the persistent connection, leading to unintended request processing and potential denial-of-service (DoS) conditions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-02-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1760
EUVD
EUVD-2026-5105
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnome libsoup *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an HTTP request smuggling flaw in SoupServer, part of libsoup. It happens because SoupServer improperly handles HTTP requests that include both 'Transfer-Encoding: chunked' and 'Connection: keep-alive' headers. Specifically, SoupServer fails to close the connection as required by RFC 9112 after sending a response. This allows an attacker to send specially crafted requests that smuggle additional HTTP requests over the same persistent connection, leading to unintended request processing. [1]

Impact Analysis

An attacker can exploit this vulnerability remotely without authentication to smuggle additional HTTP requests over a persistent connection. This can cause unintended request processing and potentially lead to denial-of-service (DoS) conditions, disrupting the availability of the affected service. [1]

Detection Guidance

This vulnerability can be detected by monitoring HTTP traffic for requests that include both 'Transfer-Encoding: chunked' and 'Connection: keep-alive' headers, which SoupServer improperly handles. Network packet capture tools like tcpdump or Wireshark can be used to filter and analyze such HTTP requests. For example, using tcpdump, you can capture HTTP traffic with: tcpdump -A -s 0 'tcp port 80' and then inspect for suspicious requests combining these headers. Additionally, reviewing server logs for abnormal persistent connections or unexpected request processing may help identify exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include updating libsoup to a patched version where this vulnerability is fixed. If an update is not immediately possible, consider disabling persistent connections or restricting the use of 'Transfer-Encoding: chunked' headers in incoming requests at the server or network level. Implementing firewall rules or web application firewall (WAF) filters to block suspicious HTTP requests that combine 'Transfer-Encoding: chunked' and 'Connection: keep-alive' headers can also reduce risk. Monitoring and limiting the number of requests per connection may help prevent exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart