CVE-2026-2835 Overview
An HTTP Request Smuggling vulnerability (CWE-444) has been discovered in Cloudflare Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora's request framing from backend servers.
This vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft malicious payloads that exploit differences in how Pingora and backend servers interpret HTTP message boundaries, enabling various attack scenarios including ACL bypass, cache poisoning, and cross-user attacks.
Critical Impact
Attackers can bypass proxy-level ACL controls and WAF logic, poison caches and upstream connections, and perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from trusted proxy IPs.
Affected Products
- Cloudflare Pingora versions prior to v0.8.0
- Standalone Pingora deployments with backends accepting HTTP/1.0 requests
- Proxy configurations without strict Transfer-Encoding validation
Discovery Timeline
- March 5, 2026 - CVE-2026-2835 published to NVD
- March 5, 2026 - Last updated in NVD database
Technical Details for CVE-2026-2835
Vulnerability Analysis
HTTP Request Smuggling vulnerabilities occur when front-end and back-end servers interpret HTTP request boundaries differently. In this case, Pingora incorrectly handles two key aspects of HTTP message framing: close-delimited bodies in HTTP/1.0 requests and multiple Transfer-Encoding header values.
When a proxy and backend server disagree on where one request ends and another begins, an attacker can "smuggle" a second request hidden within the body of the first. This desynchronization allows the attacker's smuggled request to be interpreted as a legitimate request from the proxy server itself, bypassing security controls that operate at the proxy layer.
The impact extends beyond simple request manipulation. Cache poisoning attacks become possible when smuggled responses are cached and served to legitimate users. Session hijacking can occur when an attacker's smuggled request is paired with a victim's subsequent request. Additionally, since smuggled requests appear to originate from the trusted proxy IP, backend access controls based on source IP can be bypassed entirely.
Cloudflare's CDN infrastructure was not affected by this vulnerability due to additional protections including forwarding HTTP/1.1 requests only, rejecting ambiguous framing such as invalid Content-Length values, and forwarding a single Transfer-Encoding: chunked header for chunked requests.
Root Cause
The root cause lies in Pingora's non-compliance with RFC 9112 specifications for HTTP message length determination. Specifically, Pingora improperly allowed HTTP/1.0 request bodies to be close-delimited, which is not a valid framing mechanism for requests. Additionally, the parser did not correctly handle multiple Transfer-Encoding header values, failing to enforce that only a single chunked value should be accepted. These parsing discrepancies create opportunities for request boundary confusion between Pingora and backend servers.
Attack Vector
This vulnerability is exploitable over the network without authentication. An attacker targets the HTTP parsing discrepancy between Pingora and backend servers by crafting specially formatted HTTP/1.0 requests with ambiguous message framing. The attack involves sending a request where Pingora interprets the message boundary differently than the backend server, allowing the attacker to inject arbitrary HTTP requests into the backend's request stream.
The attack can be executed by including multiple Transfer-Encoding headers, using Transfer-Encoding values other than the exact string "chunked," or leveraging HTTP/1.0 close-delimited body semantics. When successful, the smuggled request bypasses proxy-level security controls and can target any resource accessible to the backend server.
For detailed technical information about the vulnerability and Pingora architecture, see the Cloudflare Pingora GitHub repository.
Detection Methods for CVE-2026-2835
Indicators of Compromise
- Unusual HTTP/1.0 requests in proxy logs where HTTP/1.1 is expected
- Requests containing multiple Transfer-Encoding headers or non-standard values
- Backend server logs showing requests that don't correspond to proxy logs
- Cache entries containing unexpected or malicious content
- Authentication anomalies where requests appear to originate from trusted proxy IPs
Detection Strategies
- Monitor for HTTP/1.0 requests passing through Pingora proxies, especially with body content
- Implement anomaly detection for requests with multiple or malformed Transfer-Encoding headers
- Compare request logs between proxy and backend servers to identify desynchronization patterns
- Deploy Web Application Firewalls with HTTP Request Smuggling detection signatures
- Enable verbose logging on both proxy and backend servers to correlate request handling
Monitoring Recommendations
- Alert on any Transfer-Encoding header values that are not exactly chunked
- Log and review all HTTP/1.0 traffic passing through proxy infrastructure
- Monitor cache hit rates and content integrity for signs of cache poisoning
- Track session anomalies and unexpected authentication events
- Establish baseline traffic patterns to detect smuggling-related anomalies
How to Mitigate CVE-2026-2835
Immediate Actions Required
- Upgrade Pingora to version v0.8.0 or higher immediately
- Review and audit current proxy configurations for HTTP/1.0 acceptance
- Implement request filtering to reject non-HTTP/1.1 requests if HTTP/1.0 is not required
- Validate that backends are configured to reject ambiguous HTTP framing
- Review access logs for signs of exploitation attempts
Patch Information
Pingora version v0.8.0 addresses this vulnerability by correctly parsing message length headers per RFC 9112 and strictly adhering to additional RFC guidelines, including that HTTP request bodies are never close-delimited. Users should upgrade to v0.8.0 or higher to receive the fix.
For the latest release and upgrade instructions, refer to the Cloudflare Pingora GitHub repository.
Workarounds
- Reject any non-HTTP/1.1 requests in Pingora's request filter logic
- Block requests with invalid Content-Length headers
- Reject requests containing multiple Transfer-Encoding headers
- Filter requests where the Transfer-Encoding header is not an exact chunked string match
- Disable downstream connection reuse when suspicious requests are detected
# Example request filter logic (pseudocode for Pingora configuration)
# Reject non-HTTP/1.1 requests
if request.version != "HTTP/1.1":
return error("Only HTTP/1.1 requests are accepted")
# Reject multiple Transfer-Encoding headers
if count(request.headers["Transfer-Encoding"]) > 1:
return error("Multiple Transfer-Encoding headers not allowed")
# Reject non-chunked Transfer-Encoding values
if request.headers["Transfer-Encoding"] and request.headers["Transfer-Encoding"] != "chunked":
return error("Invalid Transfer-Encoding value")
# Reject invalid Content-Length
if not is_valid_content_length(request.headers["Content-Length"]):
return error("Invalid Content-Length header")
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
