CVSS Score: 9.3 Published: 2026-03-05 Full Report: https://cvereports.com/reports/CVE-2026-2835
A critical HTTP Request Smuggling vulnerability (CWE-444) exists in Cloudflare Pingora versions prior to 0.8.0. The vulnerability stems from non-compliant parsing of HTTP/1.0 request bodies and ambiguous 'Transfer-Encoding' headers. By crafting malicious HTTP requests that exploit these framing inconsistencies, unauthenticated attackers can desynchronize the proxy from backend servers, leading to cache poisoning, security control bypasses, and potential session hijacking.
Pingora < 0.8.0 improperly handles HTTP/1.0 bodies and Transfer-Encoding headers, allowing attackers to smuggle requests past the proxy. Fixed in v0.8.0.
- CWE ID: CWE-444
- Attack Vector: Network
- CVSS v4.0: 9.3 (Critical)
- EPSS Score: 0.00048 (14.80%)
- Impact: Request Smuggling / Cache Poisoning
- Fix Version: 0.8.0
- Cloudflare Pingora < 0.8.0
- Applications built using pingora-core < 0.8.0
- Pingora: < 0.8.0 (Fixed in:
0.8.0)
- Upgrade Pingora framework to version 0.8.0
- Enforce strict HTTP/1.1 compliance in upstream servers
- Disable HTTP/1.0 support if not operationally required
- Implement WAF rules to detect ambiguous Transfer-Encoding headers
Remediation Steps:
- Identify all services utilizing Pingora versions < 0.8.0.
- Update the
pingoradependency inCargo.tomlto^0.8.0. - Rebuild and redeploy the affected services.
- Verify the fix by attempting to send requests with
Transfer-Encoding: chunked, identity—the server should now reject them or process them strictly.
Generated by CVEReports - Automated Vulnerability Intelligence