DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-2835: CVE-2026-2835: HTTP Request Smuggling in Cloudflare Pingora

#security #cve #cybersecurity

CVE-2026-2835: HTTP Request Smuggling in Cloudflare Pingora

Vulnerability ID: CVE-2026-2835
CVSS Score: 9.3
Published: 2026-03-05

A critical HTTP Request Smuggling vulnerability (CWE-444) exists in Cloudflare Pingora versions prior to 0.8.0. The vulnerability stems from non-compliant parsing of HTTP/1.0 request bodies and ambiguous 'Transfer-Encoding' headers. By crafting malicious HTTP requests that exploit these framing inconsistencies, unauthenticated attackers can desynchronize the proxy from backend servers, leading to cache poisoning, security control bypasses, and potential session hijacking.

TL;DR

Pingora < 0.8.0 improperly handles HTTP/1.0 bodies and Transfer-Encoding headers, allowing attackers to smuggle requests past the proxy. Fixed in v0.8.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-444
  • Attack Vector: Network
  • CVSS v4.0: 9.3 (Critical)
  • EPSS Score: 0.00048 (14.80%)
  • Impact: Request Smuggling / Cache Poisoning
  • Fix Version: 0.8.0

Affected Systems

  • Cloudflare Pingora < 0.8.0
  • Applications built using pingora-core < 0.8.0
  • Pingora: < 0.8.0 (Fixed in: 0.8.0)

Code Analysis

Commit: 7f7166d

Improve Transfer-Encoding parsing to only accept 'chunked' as the final encoding

fn is_chunked_encoding_from_headers... if let Some(value) = headers.get_all(TRANSFER_ENCODING).next_back() ...
Enter fullscreen mode Exit fullscreen mode

Commit: 40c3c1e

Fix HTTP/1.0 request body framing; disable close-delimited requests

if req.header.content_length.is_none() ... self.body_reader.init_fixed_length(0);
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Pingora framework to version 0.8.0
  • Enforce strict HTTP/1.1 compliance in upstream servers
  • Disable HTTP/1.0 support if not operationally required
  • Implement WAF rules to detect ambiguous Transfer-Encoding headers

Remediation Steps:

  1. Identify all services utilizing Pingora versions < 0.8.0.
  2. Update the pingora dependency in Cargo.toml to ^0.8.0.
  3. Rebuild and redeploy the affected services.
  4. Verify the fix by attempting to send requests with Transfer-Encoding: chunked, identityβ€”the server should now reject them or process them strictly.

References

Read the full report for CVE-2026-2835 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)