CVE-2026-50052
Awaiting Analysis Awaiting Analysis - Queue
HTTP/2 Request Smuggling in Varnish Cache

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: MITRE

Description
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-50052
EUVD
EUVD-2026-34066
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vinyl_cache vinyl_cache to 9.0.1 (exc)
varnish_cache varnish_cache to 9.0.3 (exc)
varnish_cache varnish_cache From 7.6.0 (inc) to 8.0.1 (inc)
varnish_cache varnish_cache From 6.0.14 (inc) to 6.0.17 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50052 is a vulnerability in Vinyl Cache and Varnish Cache related to how HTTP/2 requests are parsed. Specifically, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desynchronization attack, also known as request smuggling.

This attack allows an attacker to interfere with the normal processing of HTTP requests between the client and backend server, potentially leading to cache poisoning, authentication bypass, or even information disclosure and manipulation.

The vulnerability only exists if HTTP/2 support is enabled by setting the feature parameter to include +http2, which is disabled by default.

Impact Analysis

If exploited, this vulnerability can have several serious impacts:

  • Cache poisoning - attackers can inject malicious content into the cache, causing users to receive incorrect or harmful data.
  • Authentication bypass - attackers may bypass authentication mechanisms, gaining unauthorized access.
  • Information disclosure and manipulation - sensitive data could be exposed or altered by attackers.

These impacts depend on HTTP/2 support being enabled, which is not the default setting.

Detection Guidance

The vulnerability exists only if HTTP/2 support is enabled by setting the feature parameter to include +http2. Therefore, detection should start by verifying if HTTP/2 is enabled in your Vinyl Cache or Varnish Cache configuration.

To detect potential exploitation attempts, monitoring for backend request desync or request smuggling patterns in HTTP/2 traffic is recommended. However, specific detection commands or tools are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include disabling HTTP/2 support by removing the +http2 feature parameter, as HTTP/2 support is disabled by default and the vulnerability only exists when it is enabled.

Alternatively, you can apply a vmod_re2 header filter to remove invalid headers or implement a VCL-based solution to close desync vulnerabilities. The exact VCL mitigation snippets vary depending on the version of Varnish Cache you are using.

Upgrading to fixed versions is also recommended: Vinyl Cache 9.0.1, Varnish Cache 9.0.3, 8.0.2, 6.0.18 LTS, or Varnish Enterprise.

Compliance Impact

The vulnerability in Vinyl Cache and Varnish Cache can lead to cache poisoning, authentication bypass, and potentially information disclosure or manipulation. Such security issues could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and data breaches.

Specifically, information disclosure and authentication bypass could result in unauthorized access to protected data, violating confidentiality and integrity requirements mandated by these regulations.

However, the vulnerability only exists if HTTP/2 support is enabled, which is disabled by default, and mitigations such as disabling HTTP/2 or applying specific filters can reduce the risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50052. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart