DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-2836: CVE-2026-2836: Host-Blind Cache Poisoning in Cloudflare Pingora

#security #cve #cybersecurity

CVE-2026-2836: Host-Blind Cache Poisoning in Cloudflare Pingora

Vulnerability ID: CVE-2026-2836
CVSS Score: 8.4
Published: 2026-03-05

A high-severity cache poisoning vulnerability exists in Cloudflare Pingora versions prior to 0.8.0 due to an insecure default implementation of the cache key generation logic. The default CacheKey trait implementation constructed cache keys using only the URI path and query string, ignoring the Host header and URI scheme. This 'host-blind' behavior allows attackers targeting multi-tenant or shared proxy environments to poison the cache by associating malicious content with a path (e.g., /lib.js) that is subsequently served to legitimate users requesting the same path on a different domain.

TL;DR

Pingora < 0.8.0 used a default cache key that ignored the Host header. Attackers can poison the cache in multi-tenant environments by requesting a path on a controlled domain, causing the proxy to serve that content to victims requesting the same path on a different domain. Fixed in v0.8.0 by removing the insecure default.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-444
  • Attack Vector: Network
  • CVSS v4.0: 8.4 (High)
  • EPSS Score: 0.00014
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Exploit Status: PoC Available (Private)

Affected Systems

  • Cloudflare Pingora < 0.8.0
  • Reverse Proxies built on Pingora
  • Load Balancers built on Pingora
  • API Gateways built on Pingora
  • Pingora: < 0.8.0 (Fixed in: 0.8.0)

Code Analysis

Commit: 257b59a

Remove default CacheKey implementation to enforce explicit key definition

- pub fn default(req_header: &ReqHeader) -> Self {
-    CacheKey {
-        primary: format!("{}", req_header.uri).into_bytes(),
-    }
- }
Enter fullscreen mode Exit fullscreen mode

Commit: 1e3469b

Hardening protocol state transitions and framing validation

/* Protocol Hardening Changes */
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade to Pingora v0.8.0+
  • Implement strict cache key generation including Host and Scheme
  • Disable caching for unauthenticated or multi-tenant routes if proper keying cannot be guaranteed
  • Implement 'Vary: Host' headers in upstream responses (though reliance on upstream behavior is less robust)

Remediation Steps:

  1. Update Cargo.toml to require pingora = "0.8.0".
  2. Identify all implementations of ProxyHttp trait in the codebase.
  3. Implement cache_key_callback for each instance.
  4. Ensure the new callback concatenates Scheme, Host, and Path into the primary key.
  5. Deploy the updated proxy and flush existing caches to remove potential poison entries.

References

Read the full report for CVE-2026-2836 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)