CVE-2026-2836

Name of the Vulnerable Software and Affected Versions Pingora versions prior to 0.8.0

Description A cache poisoning issue exists in the Pingora HTTP proxy framework’s default cache key construction. The default HTTP cache key implementation generates cache keys using only the URI path, excluding the host header, potentially leading to cache poisoning and cross-origin responses being served to users. This could allow an attacker to perform cross-tenant data leakage in multi-tenant deployments or serve malicious content to legitimate users by poisoning shared cache entries.

Recommendations Upgrade to Pingora version 0.8.0 or higher, which removes the insecure default cache key implementation. Users must implement their own callback that includes appropriate factors such as the Host header and upstream peer’s HTTP scheme. If unable to upgrade, remove any default CacheKey usage and implement a custom implementation that includes the host header and upstream peer’s HTTP scheme.