CVE-2026-54388

Name of the Vulnerable Software and Affected Versions Tinyproxy versions prior to 1.11.4

Description Tinyproxy fails to reject requests containing multiple Content-Length headers with differing values. The software forwards all duplicate headers to the backend but uses only the first value to determine the number of request body bytes to consume. This behavior allows remote attackers to desynchronize the proxy and backend parser state, leading to HTTP Request Smuggling. This technique enables the injection of arbitrary HTTP requests to the backend, which can result in cache poisoning, access control bypass, and request hijacking.

Recommendations Update to the version containing commit 364cdb6.