CVE-2026-44546
Received Received - Intake
Daphne ASGI Header Injection via Non-Standard Bytes

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: Django Software Foundation

Description
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-03
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-44546
EUVD
EUVD-2026-34092
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
twisted twisted *
autobahn autobahn *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in daphne versions before 4.2.2, where it reconstructs a raw HTTP request from Twisted's parsed headers and passes it to autobahn for WebSocket handshake processing.

Twisted does not recognize certain byte values (\x0b, \x0c, \x1c, \x1d, \x1e, or \x85) as header line separators, but autobahn decodes header values to strings and splits them by lines.

This difference in parsing allows an attacker to inject additional headers into the ASGI scope that is passed to the application.

Daphne 4.2.2 and later versions mitigate this by rejecting requests containing these bytes in any header value with a 400 response.


How can this vulnerability impact me? :

An attacker exploiting this vulnerability can inject additional HTTP headers into the ASGI scope passed to the application.

This could potentially lead to unexpected behavior in the application, such as bypassing security controls or manipulating application logic that relies on header values.

However, the CVSS score of 3.7 indicates a low severity impact, with low confidentiality impact and no integrity or availability impact.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade daphne to version 4.2.2 or later, as this version rejects requests containing the problematic bytes in any header value with a 400 response.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart