CVE-2026-28497
Received Received - Intake
Integer Overflow in TinyWeb Enables Critical HTTP Request Smuggling

Publication date: 2026-03-06

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer overflow vulnerability in the string-to-integer conversion routine (_Val) allows an unauthenticated remote attacker to bypass Content-Length restrictions and perform HTTP Request Smuggling. This can lead to unauthorized access, security filter bypass, and potential cache poisoning. The impact is critical for servers using persistent connections (Keep-Alive). This issue has been patched in version 2.03.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28497
EUVD
EUVD-2026-9969
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ritlabs tinyweb to 2.03 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28497 is a critical integer overflow vulnerability in the TinyWeb HTTP server, specifically in the string-to-integer conversion function (_Val) used to parse the Content-Length header.

When an attacker sends a Content-Length value larger than the 32-bit signed integer limit, the value overflows and wraps around to a smaller positive integer. This causes TinyWeb to read only a small portion of the request body while the frontend forwards the full large payload.

The leftover data in the socket buffer is then interpreted as a new HTTP request on the same persistent connection, enabling HTTP Request Smuggling attacks.

  • Security filter bypass by smuggling unauthorized requests within benign requests.
  • Web cache poisoning by injecting malicious responses into caches.
  • Request hijacking leading to potential credential theft.

This vulnerability violates RFC 9110 and RFC 9112 requirements for strict Content-Length validation and was fixed in TinyWeb version 2.03.

Impact Analysis

This vulnerability can have critical impacts if you use TinyWeb servers with persistent connections (Keep-Alive).

  • Unauthorized access through smuggled HTTP requests that bypass security filters.
  • Security filter bypass allowing attackers to perform actions like unauthorized POST requests.
  • Web cache poisoning, which can cause users to receive malicious or incorrect cached content.
  • Credential theft or session hijacking by appending smuggled requests to legitimate user requests.

Overall, the vulnerability compromises confidentiality and integrity of communications handled by the TinyWeb server.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP requests for unusually large or malformed Content-Length headers that exceed the 32-bit signed integer limit, such as values around 4294967306. An attacker sends crafted HTTP requests with overflowing Content-Length headers to exploit the integer overflow.'}, {'type': 'paragraph', 'content': 'Detection involves capturing and analyzing HTTP traffic on persistent connections (Keep-Alive) to identify desynchronization between frontend and backend servers, such as leftover data in socket buffers or unexpected smuggled requests.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP requests with large Content-Length headers. For example, using tcpdump to capture HTTP traffic on port 80 or 443:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep -i 'Content-Length'"}, {'type': 'paragraph', 'content': 'Then manually inspect or script detection for Content-Length values exceeding the 32-bit integer limit (greater than 2147483647). Additionally, monitoring logs for HTTP 400 Bad Request responses or anomalies in request processing may help detect exploitation attempts.'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade TinyWeb to version 2.03 or later, where the integer overflow vulnerability in the _Val function has been fixed with RFC 9110/9112 compliant validation.

If immediate patching is not possible, additional mitigation steps include:

  • Use a reverse proxy such as Nginx to normalize HTTP headers and strip ambiguous or multiple Content-Length headers.
  • Disable HTTP persistent connections (Keep-Alive) to prevent request smuggling via connection reuse.
  • Configure the server or proxy to reject requests with multiple Content-Length headers or malformed headers, returning HTTP 400 Bad Request.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28497. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart