CVE-2026-34441
Received Received - Intake
HTTP Request Smuggling in cpp-httplib Server Static File Handler

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This issue has been patched in version 0.40.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34441
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yhirose cpp-httplib to 0.40.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade cpp-httplib to version 0.40.0 or later, where the HTTP Request Smuggling issue has been patched.

Executive Summary

The vulnerability exists in cpp-httplib, a C++11 single-file header-only cross platform HTTP/HTTPS library, in versions prior to 0.40.0. It is an HTTP Request Smuggling issue where the server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. This allows an attacker to embed an arbitrary HTTP request inside the body of a GET request, which the server then processes as a separate request.

Impact Analysis

This vulnerability can allow an attacker to smuggle HTTP requests through the server by embedding arbitrary requests inside the body of a GET request. This can lead to unintended processing of malicious requests by the server, potentially causing information disclosure or manipulation of server behavior. The CVSS score indicates a low to medium impact with confidentiality and integrity impacts but no impact on availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34441. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart