CVE-2026-44546

Name of the Vulnerable Software and Affected Versions daphne versions prior to 4.2.2

Description A parser differential exists when reconstructing raw HTTP requests from Twisted's parsed headers for WebSocket handshake processing in autobahn. While Twisted does not recognize the bytes x0b, x0c, x1c, x1d, x1e, or x85 as header line separators, autobahn decodes these values to strings and utilizes the splitlines() function. This discrepancy allows an attacker to inject additional headers into the ASGI scope passed to the application.

Recommendations Update to version 4.2.2 or later.