CVE-2026-2835

Name of the Vulnerable Software and Affected Versions Pingora versions prior to 0.8.0

Description An HTTP Request Smuggling issue exists due to improper parsing of HTTP/1.0 and Transfer-Encoding requests. The issue arises from allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, potentially desynchronizing request framing between Pingora and backend servers. This could allow attackers to bypass proxy-level access control lists and web application firewall logic, poison caches and upstream connections, and perform cross-user attacks by hijacking sessions or smuggling requests. Cloudflare's CDN infrastructure was not affected. The API endpoints are not explicitly mentioned. The vulnerable parameters or variables are not explicitly mentioned. The vulnerable functions are not explicitly mentioned.

Recommendations Upgrade to Pingora version 0.8.0 or higher. As a workaround, reject non-HTTP/1.1 requests, requests with invalid Content-Length, requests with multiple Transfer-Encoding headers, or requests with a Transfer-Encoding header that is not exactly “chunked”.