Vulnerability-Lookup

GHSA-MWJG-3FM6-9V84

Vulnerability from github – Published: 2026-06-03 06:31 – Updated: 2026-06-03 06:31

Details

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.

Severity

2.3 (Low)


                  
                    CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Green

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-50052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-03T06:16:35Z",
    "severity": "LOW"
  },
  "details": "In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync\nattack (request smuggling), which in turn can be used for cache poisoning,\nauthentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the\nfeature parameter to contain +http2. HTTP/2 support is disabled by\ndefault.",
  "id": "GHSA-mwjg-3fm6-9v84",
  "modified": "2026-06-03T06:31:26Z",
  "published": "2026-06-03T06:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50052"
    },
    {
      "type": "WEB",
      "url": "https://vinyl-cache.org/security/VSV00019.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2026-50052 (GCVE-0-2026-50052)

Vulnerability from cvelistv5 – Published: 2026-06-03 03:56 – Updated: 2026-06-03 13:27

Summary

Severity

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Green

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

mitre

References

1 reference

URL	Tags
https://vinyl-cache.org/security/VSV00019.html

Impacted products

3 products

Vendor	Product	Version
The Vinyl Cache Project	Vinyl Cache	Affected: 9.0.0 Unaffected: 9.0.1
The Vinyl Cache Project	Varnish Cache (pre split)	Affected: 7.6.0 , ≤ 8.0.1 (semver) Unaffected: 8.0.2 Affected: 6.0.14 , ≤ 6.0.17 (semver) Unaffected: 6.0.18
Varnish Software	Varnish Cache by Varnish Software	Affected: 9.0.0 , ≤ 9.0.2 (semver) Unaffected: 9.0.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-50052",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T13:27:03.836713Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T13:27:33.193Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Vinyl Cache",
          "programFiles": [
            "bin/vinyld/http2/cache_http2_hpack.c"
          ],
          "repo": "https://code.vinyl-cache.org/vinyl-cache/vinyl-cache",
          "vendor": "The Vinyl Cache Project",
          "versions": [
            {
              "status": "affected",
              "version": "9.0.0"
            },
            {
              "status": "unaffected",
              "version": "9.0.1"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Varnish Cache (pre split)",
          "programFiles": [
            "bin/varnishd/http2/cache_http2_hpack.c"
          ],
          "repo": "https://code.vinyl-cache.org/vinyl-cache/vinyl-cache",
          "vendor": "The Vinyl Cache Project",
          "versions": [
            {
              "lessThanOrEqual": "8.0.1",
              "status": "affected",
              "version": "7.6.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "8.0.2"
            },
            {
              "lessThanOrEqual": "6.0.17",
              "status": "affected",
              "version": "6.0.14",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "6.0.18"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Varnish Cache by Varnish Software",
          "programFiles": [
            "bin/vinyld/http2/cache_http2_hpack.c"
          ],
          "repo": "https://github.com/varnish/varnish",
          "vendor": "Varnish Software",
          "versions": [
            {
              "lessThanOrEqual": "9.0.2",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "9.0.3"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003ehttp2 enabled\u003c/div\u003e\u003cdiv\u003eexploitable URLs present (require request body)\u003c/div\u003e"
            }
          ],
          "value": "http2 enabled\n\nexploitable URLs present (require request body)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync\nattack (request smuggling), which in turn can be used for cache poisoning,\nauthentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the\nfeature parameter to contain +http2. HTTP/2 support is disabled by\ndefault."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "AUTOMATIC",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "providerUrgency": "GREEN",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Green",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T03:59:35.155Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://vinyl-cache.org/security/VSV00019.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eUpdate to fix version\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "Update to fix version"
        }
      ],
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ch3\u003eDisable HTTP/2\u003c/h3\u003e\u003cp\u003eThe vulnerability can only be exploited if HTTP/2 support is enabled. Where it\nis, it can be disabled\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evinyladm param.set feature -http2\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by removing \u003ccode\u003e-p feature=+http2\u003c/code\u003e from the \u003ccode\u003evinyld\u003c/code\u003e startup\nparameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eNote that HTTP/2 typically requires a TLS offloader, which must be changed to no\nlonger send the \u003ccode\u003eh2\u003c/code\u003e ALPN. For example with \u003ccode\u003ehaproxy\u003c/code\u003e, in the\n\u003ccode\u003elisten\u003c/code\u003e/\u003ccode\u003ebind\u003c/code\u003e configuration directive, \u003ccode\u003ealpn h2,http/1.1\u003c/code\u003e should be\nreplaced with \u003ccode\u003ealpn http/1.1\u003c/code\u003e.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "Disable HTTP/2The vulnerability can only be exploited if HTTP/2 support is enabled. Where it\nis, it can be disabled\n\n\n\n  *  at runtime by issuing vinyladm param.set feature -http2\n\n\n\n  *  persistently by removing -p feature=+http2 from the vinyld startup\nparameters\n\n\n\n\n\n\nNote that HTTP/2 typically requires a TLS offloader, which must be changed to no\nlonger send the h2 ALPN. For example with haproxy, in the\nlisten/bind configuration directive, alpn h2,http/1.1 should be\nreplaced with alpn http/1.1."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ch3\u003eIn VCL, add a vmod re2 header filter\u003c/h3\u003e\u003cp\u003eThis method requires \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e header filters (see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://vinyl-cache.org/tutorials/hdr_filter.html\"\u003etutorial\u003c/a\u003e for more information) can be\nused to remove injected invalid header lines, which are the vehicle required for\nlaunching desync attacks exploiting this vulnerability.\u003c/p\u003e\n\u003cp\u003eTo the best of our knowledge, the following VCL snippet at the top of the custom\nVCL adds protection by removing invalid headers:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nimport re2;\nsub vcl_init {\n        new sane = re2.set(anchor=start, case_sensitive=false);\n        # https://httpwg.org/specs/rfc9110.html#rule.token.separators\n        # SLIGHTLY more relaxed, because it allows trailing SP / HTAB\n        sane.add(\"[-!#$%\u0026amp;\u0027*+.^_`|~a-z0-9]+:[\\s\\x21-\\x7E\\x80-\\xff]+$\");\n}\nsub vcl_recv {\n        sane.hdr_filter(req, true);\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eTo the best of our knowledge, where \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\"\u003evmod_re2\u003c/a\u003e is already used with a\n\u003ccode\u003ehdr_filter\u003c/code\u003e in allow mode (second argument \u003ccode\u003etrue\u003c/code\u003e), protection is already\nsufficient unless the empty string is allowed.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "In VCL, add a vmod re2 header filterThis method requires  vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 .\n\n\n vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2  header filters (see the  tutorial https://vinyl-cache.org/tutorials/hdr_filter.html  for more information) can be\nused to remove injected invalid header lines, which are the vehicle required for\nlaunching desync attacks exploiting this vulnerability.\n\n\nTo the best of our knowledge, the following VCL snippet at the top of the custom\nVCL adds protection by removing invalid headers:\n\n\n## BEGIN vsv19 mitigation\n#\nimport re2;\nsub vcl_init {\n        new sane = re2.set(anchor=start, case_sensitive=false);\n        # https://httpwg.org/specs/rfc9110.html#rule.token.separators\n        # SLIGHTLY more relaxed, because it allows trailing SP / HTAB\n        sane.add(\"[-!#$%\u0026\u0027*+.^_`|~a-z0-9]+:[\\s\\x21-\\x7E\\x80-\\xff]+$\");\n}\nsub vcl_recv {\n        sane.hdr_filter(req, true);\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nTo the best of our knowledge, where  vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2  is already used with a\nhdr_filter in allow mode (second argument true), protection is already\nsufficient unless the empty string is allowed."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ch4\u003e\u0026gt;= 7.6.0 plain VCL mitigation\u003c/h4\u003e\u003cp\u003eFor versions 7.6.0 and higher, this method requires no additional VMODs, but\nneeds inline-C to be enabled.\u003c/p\u003e\n\u003cp\u003eFor Vinyl Cache:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evinyladm param.set vcc_feature +allow_inline_c\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by adding \u003ccode\u003e-p vcc_feature=+allow_inline_c\u003c/code\u003e to the \u003ccode\u003evinyld\u003c/code\u003e\nstartup parameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eFor Varnish Cache:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cp\u003eat runtime by issuing \u003ccode\u003evarnishadm param.set vcc_feature +allow_inline_c\u003c/code\u003e\u003c/p\u003e\u003c/li\u003e\n\u003cli\u003e\u003cp\u003epersistently by adding \u003ccode\u003e-p vcc_feature=+allow_inline_c\u003c/code\u003e to the \u003ccode\u003evarnishd\u003c/code\u003e\nstartup parameters\u003c/p\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBesides enabling inline-C, the following snippet needs to be added at the top of\nthe custom VCL:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n        unset req.http.vsv19;\n        if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n                return;\n        }\n        set req.http.vsv19 = \"1\";\n        C{\n                VRT_SetHdr(ctx, \u0026amp;VGC_HDR_REQ_content_2d_length, 0,\n                        TOSTRAND(VRT_GetHdr(ctx, \u0026amp;VGC_HDR_REQ_content_2d_length)));\n        }C\n}\nsub vcl_recv {\n        call recv_vsv19;\n}\nsub vcl_backend_fetch {\n        if (bereq.http.vsv19) {\n                set bereq.http.Connection = \"close\";\n        }\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eIn addition, care must be taken that \u003ccode\u003ebereq.http.Connection\u003c/code\u003e is not unset\nanywhere else in the custom VCL.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "\u003e= 7.6.0 plain VCL mitigationFor versions 7.6.0 and higher, this method requires no additional VMODs, but\nneeds inline-C to be enabled.\n\n\nFor Vinyl Cache:\n\n\n\n  *  at runtime by issuing vinyladm param.set vcc_feature +allow_inline_c\n\n\n\n  *  persistently by adding -p vcc_feature=+allow_inline_c to the vinyld\nstartup parameters\n\n\n\n\n\n\nFor Varnish Cache:\n\n\n\n  *  at runtime by issuing varnishadm param.set vcc_feature +allow_inline_c\n\n\n\n  *  persistently by adding -p vcc_feature=+allow_inline_c to the varnishd\nstartup parameters\n\n\n\n\n\n\nBesides enabling inline-C, the following snippet needs to be added at the top of\nthe custom VCL:\n\n\n## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n        unset req.http.vsv19;\n        if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n                return;\n        }\n        set req.http.vsv19 = \"1\";\n        C{\n                VRT_SetHdr(ctx, \u0026VGC_HDR_REQ_content_2d_length, 0,\n                        TOSTRAND(VRT_GetHdr(ctx, \u0026VGC_HDR_REQ_content_2d_length)));\n        }C\n}\nsub vcl_recv {\n        call recv_vsv19;\n}\nsub vcl_backend_fetch {\n        if (bereq.http.vsv19) {\n                set bereq.http.Connection = \"close\";\n        }\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nIn addition, care must be taken that bereq.http.Connection is not unset\nanywhere else in the custom VCL."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ch4\u003e6.0 plain VCL mitigation\u003c/h4\u003e\u003cp\u003eFor version 6.0 LTS, this method works in pure VCL with no other changes\nrequired. The following snippet needs to be added at the top of the custom VCL:\u003c/p\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n        unset req.http.vsv19;\n        if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n                return;\n        }\n        set req.http.vsv19 = \"1\";\n        set req.http.content-length = req.http.content-length;\n}\nsub vcl_recv {\n        call recv_vsv19;\n}\nsub vcl_backend_fetch {\n        if (bereq.http.vsv19) {\n                set bereq.http.Connection = \"close\";\n        }\n}\n#\n## END vsv19 mitigation\n\u003c/pre\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003eIn addition, care must be taken that \u003ccode\u003ebereq.http.Connection\u003c/code\u003e is not unset\nanywhere else in the custom VCL.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "6.0 plain VCL mitigationFor version 6.0 LTS, this method works in pure VCL with no other changes\nrequired. The following snippet needs to be added at the top of the custom VCL:\n\n\n## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n        unset req.http.vsv19;\n        if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n                return;\n        }\n        set req.http.vsv19 = \"1\";\n        set req.http.content-length = req.http.content-length;\n}\nsub vcl_recv {\n        call recv_vsv19;\n}\nsub vcl_backend_fetch {\n        if (bereq.http.vsv19) {\n                set bereq.http.Connection = \"close\";\n        }\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nIn addition, care must be taken that bereq.http.Connection is not unset\nanywhere else in the custom VCL."
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-50052",
    "datePublished": "2026-06-03T03:56:01.974Z",
    "dateReserved": "2026-06-03T03:56:01.075Z",
    "dateUpdated": "2026-06-03T13:27:33.193Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-MWJG-3FM6-9V84

CVE-2026-50052 (GCVE-0-2026-50052)

Tags

Sightings

Nomenclature