CVE-2026-44546
Analyzed Analyzed - Analysis Complete
Daphne ASGI Header Injection via Non-Standard Bytes

Publication date: 2026-06-03

Last updated on: 2026-06-15

Assigner: Django Software Foundation

Description
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-15
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-44546
EUVD
EUVD-2026-34092
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
djangoproject daphne to 4.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in daphne versions before 4.2.2, where it reconstructs a raw HTTP request from Twisted's parsed headers and passes it to autobahn for WebSocket handshake processing.

Twisted does not recognize certain byte values (\x0b, \x0c, \x1c, \x1d, \x1e, or \x85) as header line separators, but autobahn decodes header values to strings and splits them by lines.

This difference in parsing allows an attacker to inject additional headers into the ASGI scope that is passed to the application.

Daphne 4.2.2 and later versions mitigate this by rejecting requests containing these bytes in any header value with a 400 response.

Impact Analysis

An attacker exploiting this vulnerability can inject additional HTTP headers into the ASGI scope passed to the application.

This could potentially lead to unexpected behavior in the application, such as bypassing security controls or manipulating application logic that relies on header values.

However, the CVSS score of 3.7 indicates a low severity impact, with low confidentiality impact and no integrity or availability impact.

Mitigation Strategies

To mitigate this vulnerability, upgrade daphne to version 4.2.2 or later, as this version rejects requests containing the problematic bytes in any header value with a 400 response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44546. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart