CVE-2026-23941

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 28.4.1 Erlang OTP versions 26.2.5.18 and 27.3.4.9 inets versions 5.10 through 9.6.1 inets versions 9.1.0.5 and 9.3.2.3

Description An inconsistent interpretation of HTTP requests, specifically 'HTTP Request Smuggling', exists in Erlang OTP (inets httpd module). This issue is related to the program files lib/inets/src/http server/httpd request.erl and the httpd request:parse headers/7 routine. The server does not properly handle duplicate Content-Length headers, using the first value encountered for body parsing, while common reverse proxies utilize the last value. This discrepancy violates RFC 9112 Section 6.3 and can lead to front-end/back-end desynchronization, potentially allowing an attacker to inject controlled bytes into the start of subsequent requests.

Recommendations Update Erlang OTP to a version later than 28.4.1. Update Erlang OTP to a version later than 27.3.4.9. Update Erlang OTP to a version later than 26.2.5.18. Update inets to a version later than 9.6.1. Update inets to a version later than 9.3.2.3. Update inets to a version later than 9.1.0.5.