CVE-2026-54388
Received Received - Intake
Tinyproxy HTTP Request Smuggling via Duplicate Content-Length Headers

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: VulnCheck

Description
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-54388
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tinyproxy tinyproxy 1.11.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Tinyproxy versions up to 1.11.3. The proxy fails to reject HTTP requests that contain multiple Content-Length headers with different values. Instead of rejecting such requests, Tinyproxy forwards all duplicate headers to the backend server but uses only the first Content-Length value to determine how many bytes of the request body to read.

This behavior can cause the proxy and the backend server to become desynchronized in their parsing of the HTTP request. As a result, a remote attacker can inject arbitrary HTTP requests to the backend server, which can lead to cache poisoning, bypassing access controls, and hijacking requests.

Impact Analysis

The vulnerability can have severe impacts including allowing remote attackers to inject arbitrary HTTP requests to the backend server.

  • Cache poisoning - attackers can manipulate cached content served by the backend.
  • Access control bypass - attackers may gain unauthorized access to restricted resources.
  • Request hijacking - attackers can intercept or alter legitimate requests.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart