CVE-2026-33555

Name of the Vulnerable Software and Affected Versions HAProxy versions 2.6 through 3.3.5

Description The HTTP/3 parser fails to verify that the received body length aligns with a previously announced content-length when a stream is closed using a frame with an empty payload. This discrepancy can lead to desynchronization between the proxy and the backend server, potentially enabling request smuggling, which is a technique used to interfere with the way a website processes sequences of HTTP requests.

Recommendations Update to version 3.3.6 or later.