CVE-2026-44546
Analyzed Analyzed - Analysis Complete

Daphne ASGI Header Injection via Non-Standard Bytes

Vulnerability report for CVE-2026-44546, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-03

Last updated on: 2026-06-15

Assigner: Django Software Foundation

Description

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-03
Last Modified
2026-06-15
Generated
2026-07-14
AI Q&A
2026-06-03
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
djangoproject daphne to 4.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in daphne versions before 4.2.2, where it reconstructs a raw HTTP request from Twisted's parsed headers and passes it to autobahn for WebSocket handshake processing.

Twisted does not recognize certain byte values (\x0b, \x0c, \x1c, \x1d, \x1e, or \x85) as header line separators, but autobahn decodes header values to strings and splits them by lines.

This difference in parsing allows an attacker to inject additional headers into the ASGI scope that is passed to the application.

Daphne 4.2.2 and later versions mitigate this by rejecting requests containing these bytes in any header value with a 400 response.

Impact Analysis

An attacker exploiting this vulnerability can inject additional HTTP headers into the ASGI scope passed to the application.

This could potentially lead to unexpected behavior in the application, such as bypassing security controls or manipulating application logic that relies on header values.

However, the CVSS score of 3.7 indicates a low severity impact, with low confidentiality impact and no integrity or availability impact.

Mitigation Strategies

To mitigate this vulnerability, upgrade daphne to version 4.2.2 or later, as this version rejects requests containing the problematic bytes in any header value with a 400 response.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44546. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart