CVE-2026-2835
Received Received - Intake
HTTP Request Smuggling in Pingora Enables Proxy Bypass and Cache Poisoning

Publication date: 2026-03-05

Last updated on: 2026-03-12

Assigner: Cloudflare, Inc.

Description
An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora’s request framing from backend servers’. Impact This vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to: * Bypass proxy-level ACL controls and WAF logic * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP Cloudflare's CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests. Mitigation: Pingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited. As a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact β€œchunked” string match.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-12
Generated
2026-05-27
AI Q&A
2026-03-05
EPSS Evaluated
2026-05-25
NVD
CVE-2026-2835
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cloudflare pingora to 0.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an HTTP Request Smuggling issue found in Pingora's handling of HTTP/1.0 and Transfer-Encoding requests. It happens because Pingora improperly allows HTTP/1.0 request bodies to be close-delimited and incorrectly handles multiple Transfer-Encoding values. This flaw lets attackers send specially crafted HTTP/1.0 requests that cause Pingora's request framing to become desynchronized from backend servers.


How can this vulnerability impact me? :

This vulnerability mainly affects standalone Pingora deployments in front of backends that accept HTTP/1.0 requests. An attacker could exploit it to:

  • Bypass proxy-level access control lists (ACL) and Web Application Firewall (WAF) logic.
  • Poison caches and upstream connections, causing legitimate users to receive responses meant for smuggled requests.
  • Perform cross-user attacks by hijacking sessions or smuggling requests that appear to come from the trusted proxy IP.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, users should upgrade to Pingora version 0.8.0 or higher, which fixes the issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited.

As a workaround, users can reject certain requests with an error in the request filter logic to stop processing bytes on the connection and disable downstream connection reuse.

  • Reject any non-HTTP/1.1 request.
  • Reject requests with invalid Content-Length headers.
  • Reject requests with multiple Transfer-Encoding headers.
  • Reject requests where the Transfer-Encoding header is not an exact β€œchunked” string match.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart