CVE-2026-50052
HTTP/2 Request Smuggling in Varnish Cache
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vinyl_cache | vinyl_cache | to 9.0.1 (exc) |
| varnish_cache | varnish_cache | to 9.0.3 (exc) |
| varnish_cache | varnish_cache | From 7.6.0 (inc) to 8.0.1 (inc) |
| varnish_cache | varnish_cache | From 6.0.14 (inc) to 6.0.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-50052 is a vulnerability in Vinyl Cache and Varnish Cache related to how HTTP/2 requests are parsed. Specifically, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desynchronization attack, also known as request smuggling.
This attack allows an attacker to interfere with the normal processing of HTTP requests between the client and backend server, potentially leading to cache poisoning, authentication bypass, or even information disclosure and manipulation.
The vulnerability only exists if HTTP/2 support is enabled by setting the feature parameter to include +http2, which is disabled by default.
How can this vulnerability impact me? :
If exploited, this vulnerability can have several serious impacts:
- Cache poisoning - attackers can inject malicious content into the cache, causing users to receive incorrect or harmful data.
- Authentication bypass - attackers may bypass authentication mechanisms, gaining unauthorized access.
- Information disclosure and manipulation - sensitive data could be exposed or altered by attackers.
These impacts depend on HTTP/2 support being enabled, which is not the default setting.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability exists only if HTTP/2 support is enabled by setting the feature parameter to include +http2. Therefore, detection should start by verifying if HTTP/2 is enabled in your Vinyl Cache or Varnish Cache configuration.
To detect potential exploitation attempts, monitoring for backend request desync or request smuggling patterns in HTTP/2 traffic is recommended. However, specific detection commands or tools are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling HTTP/2 support by removing the +http2 feature parameter, as HTTP/2 support is disabled by default and the vulnerability only exists when it is enabled.
Alternatively, you can apply a vmod_re2 header filter to remove invalid headers or implement a VCL-based solution to close desync vulnerabilities. The exact VCL mitigation snippets vary depending on the version of Varnish Cache you are using.
Upgrading to fixed versions is also recommended: Vinyl Cache 9.0.1, Varnish Cache 9.0.3, 8.0.2, 6.0.18 LTS, or Varnish Enterprise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Vinyl Cache and Varnish Cache can lead to cache poisoning, authentication bypass, and potentially information disclosure or manipulation. Such security issues could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and data breaches.
Specifically, information disclosure and authentication bypass could result in unauthorized access to protected data, violating confidentiality and integrity requirements mandated by these regulations.
However, the vulnerability only exists if HTTP/2 support is enabled, which is disabled by default, and mitigations such as disabling HTTP/2 or applying specific filters can reduce the risk.