CVSS Score: 9.3 Published: 2026-03-05 Full Report: https://cvereports.com/reports/CVE-2026-2833
A critical HTTP request smuggling vulnerability exists in Cloudflare Pingora versions prior to v0.8.0 due to improper handling of HTTP connection upgrades. The proxy prematurely transitions to a blind tunneling state upon observing an 'Upgrade' header in a client request, without waiting for the upstream server's confirmation (101 Switching Protocols). This allows attackers to desynchronize the connection state between the proxy and the backend, enabling the smuggling of arbitrary HTTP requests that bypass security controls, WAFs, and authentication layers.
Pingora proxies < v0.8.0 fail to validate backend confirmation before upgrading connections (e.g., WebSockets), allowing attackers to smuggle requests past security controls by exploiting state desynchronization.
- CVE ID: CVE-2026-2833
- CVSS Score: 9.3 (Critical)
- CWE ID: CWE-444 (Inconsistent Interpretation of HTTP Requests)
- Attack Vector: Network
- Impact: WAF Bypass, Cache Poisoning, Authorization Bypass
- Fix Version: v0.8.0
- Cloudflare Pingora < 0.8.0
- Cloudflare Pingora: < 0.8.0 (Fixed in:
0.8.0)
- Upgrade to Fixed Version: Update Pingora to version 0.8.0 or later immediately.
- Request Filtering (Workaround): Configure the proxy to reject or block all requests containing the 'Upgrade' header if patching is not immediately feasible.
- Disable WebSockets: Temporarily disable WebSocket support in the proxy configuration if not strictly required for business operations.
Remediation Steps:
- Identify all services using the pingora crate versions < 0.8.0.
- Update Cargo.toml to specify
pingora = "0.8.0". - Rebuild and redeploy the affected services.
- Verify the fix by attempting a known smuggling test case against a non-production environment.
Generated by CVEReports - Automated Vulnerability Intelligence