DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-39805: CVE-2026-39805: CL.CL HTTP Request Smuggling in Bandit Web Server

#security #cve #cybersecurity

CVE-2026-39805: CL.CL HTTP Request Smuggling in Bandit Web Server

Vulnerability ID: CVE-2026-39805
CVSS Score: 6.3
Published: 2026-05-07

The Bandit HTTP server for Elixir versions prior to 1.11.0 fails to correctly process requests containing multiple Content-Length headers. This inconsistent interpretation creates a CL.CL HTTP request smuggling vulnerability when Bandit is deployed behind a reverse proxy that parses the headers differently. Attackers exploit this desynchronization to smuggle secondary HTTP requests past edge security controls.

TL;DR

Bandit < 1.11.0 accepts duplicate Content-Length headers and processes only the first one, violating RFC 9112. When deployed behind certain reverse proxies, this allows attackers to smuggle hidden HTTP requests to bypass frontend access controls.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-444
  • Attack Vector: Network
  • CVSS v4.0: 6.3
  • EPSS Score: 0.00017 (4.03%)
  • Impact: Security Control Bypass
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Bandit (Elixir HTTP Server) < 1.11.0
  • bandit: < 1.11.0 (Fixed in: 1.11.0)

Code Analysis

Commit: f2ca636

Fix HTTP request smuggling vulnerability by rejecting requests with multiple Content-Length headers

Exploit Details

  • GitHub Fix Commit: Proof of Concept test case embedded within the official repository patch suite.

Mitigation Strategies

  • Upgrade Bandit web server to version 1.11.0
  • Configure frontend proxies to reject requests with multiple Content-Length headers
  • Deploy WAF rules to detect and block malformed HTTP requests

Remediation Steps:

  1. Modify mix.exs to require bandit version >= 1.11.0
  2. Run mix deps.get to update the application dependencies
  3. Recompile the application and deploy to the target environment
  4. Validate frontend proxy configurations to ensure strict RFC 9112 compliance

References

Read the full report for CVE-2026-39805 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)