CVE-2026-2833

Name of the Vulnerable Software and Affected Versions Pingora versions prior to 0.8.0

Description An HTTP request smuggling issue (CWE-444) exists in Pingora's handling of HTTP/1.1 connection upgrades. The issue arises when the proxy reads a request with an Upgrade header and forwards the remaining bytes on the connection to a backend before the backend accepts the upgrade. This allows an attacker to send a malicious payload after a request containing an Upgrade header, which the backend may interpret as a subsequent request header, bypassing security controls. This can lead to bypassing proxy-level ACL controls and WAF logic, poisoning caches and upstream connections, and performing cross-user attacks by hijacking sessions or smuggling requests. Cloudflare's CDN infrastructure was not affected. The vulnerable component is the handling of the Upgrade header in HTTP requests.

Recommendations Upgrade to Pingora version 0.8.0 or higher. As a workaround, return an error on requests with the Upgrade header present in request filter logic to stop processing bytes beyond the request header and disable downstream connection reuse.