CVE-2026-32881
Received Received - Intake
Authentication Bypass via Header Injection in ewe Web Server

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
ewe is a Gleam web server. ewe is a Gleam web server. Versions 0.6.0 through 3.0.4 are vulnerable to authentication bypass or spoofed proxy-trust headers. Chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. A malicious client can exploit this by declaring these headers in the Trailer field and appending them after the final chunk, causing request.set_header to overwrite legitimate values (e.g., those set by a reverse proxy). This enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in any downstream middleware that reads headers after ewe.read_body is called. This issue has been fixed in version 3.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32881
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vshakitskiy ewe to 3.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32881 is a vulnerability in the Gleam web server "ewe" (versions 0.6.0 through 3.0.4) related to how it handles HTTP chunked transfer encoding trailers. The server merges declared trailer fields into the request headers after parsing the body, but it only blocks nine specific header names in its denylist. This allows a malicious client to declare sensitive headers in the Trailer field and append them after the final chunk, causing the server to overwrite legitimate header values.'}, {'type': 'paragraph', 'content': 'This flaw enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in downstream middleware that reads headers after the body is parsed. The vulnerability arises because the denylist omits several security-sensitive headers such as authorization, cookie, set-cookie, proxy-authorization, and various x-forwarded headers.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 3.0.5 by replacing the denylist with an allowlist approach that only permits explicitly safe trailer headers, thereby preventing unauthorized trailer headers from being merged into the request.'}] [4, 3, 1]

Impact Analysis

This vulnerability can have several impacts on users of the affected ewe web server versions:

  • Attackers can forge authentication credentials, allowing unauthorized access.
  • Session hijacking is possible by injecting or overwriting session cookies.
  • IP-based rate limiting can be bypassed by spoofing client IP headers.
  • Proxy-trust headers can be spoofed, potentially misleading downstream middleware about the true client or proxy.

Overall, these impacts can compromise authentication middleware, session validation, and security controls relying on trusted headers.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves malicious clients injecting or overwriting sensitive HTTP headers via chunked transfer encoding trailers. Detection involves monitoring HTTP requests for suspicious chunked transfer encoding usage with trailer headers that include sensitive fields such as authorization, cookie, set-cookie, proxy-authorization, x-forwarded-for, x-forwarded-host, x-forwarded-proto, or x-real-ip.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network or system, you can inspect HTTP requests for chunked transfer encoding with trailer headers containing these sensitive fields. Network packet capture tools like tcpdump or Wireshark can be used to capture HTTP traffic, and filtering for chunked requests with Trailer headers can help identify suspicious activity.'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'"}, {'type': 'list_item', 'content': 'Use Wireshark to filter HTTP requests with chunked transfer encoding and Trailer headers by applying display filters such as: http.transfer_encoding == "chunked" and http.trailer'}, {'type': 'list_item', 'content': 'Search server logs for HTTP requests containing the "Trailer" header or suspicious header injections after the final chunk.'}, {'type': 'paragraph', 'content': 'Because the vulnerability exploits the merging of trailer headers into request headers after body parsing, monitoring for unexpected or duplicated sensitive headers in requests can also help detect attempts.'}] [4]

Mitigation Strategies

The primary mitigation is to upgrade the ewe web server to version 3.0.5 or later, where this vulnerability has been fixed by implementing an allowlist approach for trailer headers and removing unsafe trailer header handling.

If upgrading immediately is not possible, consider implementing network-level controls to block or inspect HTTP requests with chunked transfer encoding that include suspicious Trailer headers containing sensitive fields.

Additionally, review and harden any reverse proxy or middleware that relies on headers such as authorization, cookie, and x-forwarded-for to ensure they validate and sanitize incoming headers properly.

Monitoring and alerting on unusual or unexpected header values in requests can help detect exploitation attempts early.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32881. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart