CVE-2026-23941
Analyzed Analyzed - Analysis Complete
HTTP Request Smuggling in Erlang OTP Inets Module Allows Request Desync

Publication date: 2026-03-13

Last updated on: 2026-05-21

Assigner: EEF

Description
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-05-21
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23941
EUVD
EUVD-2026-11776
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
erlang erlang/otp From 17.0 (inc) to 26.2.5.18 (exc)
erlang erlang/otp From 27.0 (inc) to 27.3.4.9 (exc)
erlang erlang/otp From 28.0 (inc) to 28.4.1 (exc)
erlang erlang/inets From 5.10 (inc) to 9.1.0.5 (exc)
erlang erlang/inets From 9.3 (inc) to 9.3.2.3 (exc)
erlang erlang/inets From 9.6 (inc) to 9.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23941 is a high-severity HTTP request smuggling vulnerability in the Erlang/OTP httpd server. It occurs because the server improperly handles HTTP requests containing multiple Content-Length headers with differing values. Specifically, the server uses the first Content-Length header for parsing the request body, while common reverse proxies use the last Content-Length header. This inconsistency violates RFC 9112 Section 6.3 and causes front-end and back-end desynchronization.

This desynchronization allows an attacker to smuggle malicious HTTP requests by queuing attacker-controlled bytes as the start of the next request, potentially bypassing security controls.

Impact Analysis

Exploitation of this vulnerability can lead to several serious impacts including:

  • Authentication bypass by smuggled requests circumventing proxy-layer authentication to access protected backend resources.
  • Cache poisoning through desynchronization of request and response boundaries.
  • Request hijacking by prepending smuggled requests to legitimate user requests on persistent connections, enabling unauthorized actions.

These impacts primarily affect deployments where the Erlang/OTP httpd server is used behind front-end proxies that handle Content-Length headers differently and have HTTP persistent connections enabled.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP requests for the presence of multiple Content-Length headers with differing values, which is the root cause of the HTTP request smuggling issue.'}, {'type': 'paragraph', 'content': 'Detection involves checking HTTP traffic, especially requests passing through reverse proxies or load balancers, for duplicate Content-Length headers that do not match.'}, {'type': 'paragraph', 'content': 'While specific commands are not provided in the resources, typical detection methods include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests and inspecting headers for multiple Content-Length fields.'}, {'type': 'paragraph', 'content': 'For example, you can use tcpdump to capture HTTP traffic on port 80 or 443 and then filter or search for requests containing multiple Content-Length headers.'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep -i 'Content-Length'"}, {'type': 'list_item', 'content': 'Use custom scripts or tools to parse captured HTTP requests and flag those with multiple Content-Length headers having different values.'}, {'type': 'paragraph', 'content': 'Additionally, web application firewalls (WAFs) can be configured to detect and block requests with multiple Content-Length headers.'}] [1]

Mitigation Strategies

Immediate mitigation steps include configuring your frontend proxies to reject HTTP requests containing multiple Content-Length headers.

Disabling HTTP keep-alive in the Erlang/OTP httpd server by setting the configuration option `{keep_alive, false}` is recommended to close connections after each request, preventing request desynchronization, though this may impact performance.

Deploying Web Application Firewalls (WAFs) with rules to reject or block requests containing multiple Content-Length headers is also advised.

Updating Erlang/OTP and inets to the patched versions (OTP 28.4.1, 27.3.4.9, 26.2.5.18 and inets 9.1.0.5, 9.3.2.3, 9.6.1) that include the fix for this vulnerability is the definitive solution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart