CVE-2026-28898
Analyzed Analyzed - Analysis Complete

HTTP/2 Pseudo-Header Validation Flaw in swift-nio-http2

Vulnerability report for CVE-2026-28898, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-30

Assigner: Apple Inc.

Description

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-30
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apple swiftnio_http/2 to 1.44.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves improper validation of control characters (CR, LF, NUL) in HTTP/2 pseudo-header values during translation to HTTP/1.1. Detection would involve monitoring HTTP/2 traffic for pseudo-header fields (:path, :authority, :scheme, :method, :status) containing these control characters.

Since the issue is specific to SwiftNIO HTTP/2-to-HTTP/1.1 codec versions prior to 1.44.1, detection can also include verifying the version of swift-nio-http2 in use on your servers.

For network detection, you can capture HTTP/2 traffic using tools like Wireshark or tcpdump and inspect pseudo-header fields for suspicious control characters.

Example commands to capture HTTP/2 traffic on port 443 (assuming TLS termination is accessible):

  • tcpdump -i <interface> -w capture.pcap port 443
  • Use Wireshark to open capture.pcap and filter for HTTP/2 pseudo-header fields containing control characters.

Alternatively, if you have access to server logs or application-level debugging, check for connection errors related to rejected requests containing control characters in pseudo-headers, which are indicative of this vulnerability being triggered.

To check the swift-nio-http2 version on your system, you can inspect your project's dependencies or use package management commands relevant to your environment.

Compliance Impact

The vulnerability allows HTTP/2-to-HTTP/1.1 request smuggling by injecting control characters into pseudo-header values, potentially enabling attackers to manipulate HTTP requests in reverse-proxy setups.

Such manipulation could lead to unauthorized access or data exposure, which may impact compliance with standards like GDPR or HIPAA that require protection of data integrity and confidentiality.

However, the provided information does not explicitly discuss compliance implications or specific effects on regulatory requirements.

Executive Summary

The vulnerability in swift-nio-http2's HTTP/2-to-HTTP/1.1 codec involves the lack of validation for pseudo-header values before they are translated into HTTP/1.1 messages. Specifically, pseudo-header values such as :path, :authority, :scheme, :method, and :status were not checked for control characters like carriage return (CR), line feed (LF), or null (NUL) bytes.

Because of this, malicious requests or responses containing these control characters could be processed improperly, potentially leading to unexpected behavior. The issue was fixed in version 1.44.1 by adding validation at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer, rejecting any requests or responses with such invalid characters with a connection error.

Impact Analysis

This vulnerability can impact you by allowing malformed HTTP/2 requests or responses containing control characters in pseudo-header values to be translated into HTTP/1.1 messages without proper validation. This could lead to security issues such as request smuggling, response splitting, or other unexpected behaviors in HTTP message processing.

Such issues might be exploited by attackers to bypass security controls, inject malicious content, or disrupt normal communication between clients and servers.

Mitigation Strategies

To mitigate this vulnerability, update swift-nio-http2 to version 1.44.1 or later, which includes validation of all pseudo-header values and rejects requests or responses containing control characters such as CR, LF, or NUL bytes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart