CVE-2026-39805
Deferred Deferred - Pending Action
HTTP Request Smuggling in Bandit

Publication date: 2026-05-01

Last updated on: 2026-05-05

Assigner: EEF

Description
Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers. 'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 Β§6.3 requires recipients to treat this as an unrecoverable framing error. When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging. This issue affects bandit: before 1.11.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39805
EUVD
EUVD-2026-26712
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mtrudel bandit to 1.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Inconsistent Interpretation of HTTP Requests issue in the mtrudel bandit software, specifically related to how it handles duplicate Content-Length headers in HTTP requests.

The function 'Elixir.Bandit.Headers:get_content_length/1' uses a method that only considers the first Content-Length header when multiple are present. If two Content-Length headers with different values exist, Bandit accepts the request, uses the first value to read the body, and treats the remaining bytes as a second pipelined request on the same connection.

According to RFC 9112 Β§6.3, this situation should be treated as an unrecoverable framing error, but Bandit does not do this.

When Bandit is behind a proxy that picks the last Content-Length header and forwards the request instead of rejecting it, an unauthenticated attacker can exploit this to smuggle requests past security controls like edge WAF rules, path-based ACLs, rate limiting, and audit logging.

Impact Analysis

This vulnerability can allow an unauthenticated attacker to bypass security mechanisms such as web application firewalls (WAF), access control lists (ACLs), rate limiting, and audit logging by smuggling HTTP requests.

As a result, attackers may be able to perform unauthorized actions, evade detection, and potentially exploit other vulnerabilities or access sensitive resources.

Compliance Impact

The vulnerability allows HTTP request smuggling via duplicate Content-Length headers, which can enable an unauthenticated attacker to bypass edge WAF rules, path-based ACLs, rate limiting, and audit logging.

Such bypasses can undermine security controls that are often required for compliance with standards and regulations like GDPR and HIPAA, which mandate proper access controls, logging, and protection against unauthorized access.

Therefore, this vulnerability could negatively impact compliance by allowing attackers to evade security mechanisms designed to protect sensitive data and ensure proper monitoring.

Detection Guidance

This vulnerability can be detected by inspecting HTTP requests for the presence of duplicate Content-Length headers with differing values. An attacker may send requests containing two Content-Length headers where the first value is used by Bandit and the second value is used by a proxy, enabling request smuggling.

To detect such attempts on your network or system, you can capture and analyze HTTP traffic looking for requests with multiple Content-Length headers. For example, using command-line tools like tcpdump or tshark to capture traffic and grep or Wireshark to filter HTTP headers.

  • Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443'
  • Filter captured traffic for duplicate Content-Length headers using grep or similar tools.
  • Use tshark to filter HTTP requests with multiple Content-Length headers: tshark -Y 'http.header contains "Content-Length"' -T fields -e http.header
  • In Wireshark, apply a display filter to find HTTP requests with multiple Content-Length headers.

Additionally, monitoring logs for unusual or malformed HTTP requests, especially those with conflicting Content-Length headers, can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade the Bandit HTTP server library to version 1.11.0 or later, where the vulnerability is fixed by rejecting requests containing multiple Content-Length headers.

If upgrading immediately is not possible, you should configure any fronting proxies or WAFs to reject HTTP requests with duplicate Content-Length headers or ensure they do not forward requests with conflicting Content-Length values.

Additionally, review and harden your security controls such as WAF rules, ACLs, and rate limiting to detect and block suspicious requests that may attempt HTTP request smuggling.

Monitoring and logging should be enhanced to detect anomalies related to HTTP request framing errors.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39805. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart