Executive Summary

CVE-2026-34475 is a vulnerability in Varnish Cache and Varnish Enterprise that affects how HTTP/1.1 requests with a root URL path "/" are handled. Specifically, when the req.url variable is not properly checked, it can lead to mishandling of URLs, which may cause cache poisoning or authentication bypass.

The issue arises when the req.url is passed unchecked to a backend that accepts requests with absolute form URIs. This vulnerability affects all Varnish Cache releases up to 8.0.0, Varnish Cache 6.0 LTS series up to 6.0.16, and Varnish Enterprise 6.0.x up to 6.0.16r11.

The vulnerability does not affect requests targeting subpaths (e.g., /whatever), only the root path (/).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to perform cache poisoning or authentication bypass attacks.

Cache poisoning can cause users to receive incorrect or malicious content from the cache, potentially leading to misinformation or exposure to harmful data.

Authentication bypass could allow unauthorized users to gain access to protected resources or services, compromising security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves mishandling of HTTP/1.1 requests with a path of "/" in the req.url variable, potentially leading to cache poisoning or authentication bypass.

To detect this vulnerability on your system, you can monitor HTTP requests targeting the root URL path "/" and check if the Varnish Cache version in use is affected (versions up to 8.0.0 or 6.0.16r11 for Varnish Enterprise).

While no specific detection commands are provided, you can use network monitoring tools like tcpdump or Wireshark to capture HTTP traffic and filter for requests with the root path "/".

• Use tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -i <interface> 'tcp port 80 or tcp port 443'
• Filter captured traffic for HTTP requests with path "/" using tools like tshark or by analyzing logs.
• Check your Varnish Cache version with: varnishd -V

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Varnish Cache or Varnish Enterprise to a fixed version:

• Upgrade to Varnish Cache 8.0.1 or later.
• Upgrade to Varnish Cache 6.0 LTS version 6.0.17 or later.
• Upgrade to Varnish Enterprise 6.0.16r12 or later.

If upgrading is not immediately feasible, apply the following VCL snippet at the top of your VCL configuration to validate request URLs and methods, restricting requests with absolute form URIs that do not start with "/" unless the method is CONNECT:

```vcl sub vsv18 { if (req.url == "*" && req.method == "OPTIONS") { return; } # By default, CONNECT method is not allowed (see vcl_req_method) if (req.url !~ "^/" && req.method != "CONNECT") { return (synth(400)); } } sub vcl_recv { call vsv18; } ```

This mitigation returns a synthetic 400 error for disallowed requests, reducing the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Varnish Cache and Varnish Enterprise can lead to cache poisoning or authentication bypass due to mishandling of certain HTTP/1.1 request URLs. Such security weaknesses could potentially expose sensitive data or allow unauthorized access, which may impact compliance with standards and regulations like GDPR or HIPAA that require protection of personal and sensitive information.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with specific regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0