CVE-2026-50052

Name of the Vulnerable Software and Affected Versions Vinyl Cache versions prior to 9.0.1 Varnish Cache versions prior to 9.0.3

Description A deficiency in HTTP/2 request parsing allows for backend request desync attacks, also known as request smuggling. This occurs when the frontend and backend servers disagree on where a request ends, allowing an attacker to "smuggle" a request. This can lead to cache poisoning, authentication bypass, information disclosure, and data manipulation. The issue is only present if HTTP/2 support is enabled by configuring the feature parameter to include +http2. By default, this support is disabled.

Recommendations Update Vinyl Cache to version 9.0.1 or later. Update Varnish Cache to version 9.0.3 or later. As a temporary mitigation, ensure that HTTP/2 support is disabled by removing +http2 from the feature parameter.