Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-29046

CVE-2026-29046: TinyWeb Header Injection Vulnerability

CVE-2026-29046 is a header injection flaw in TinyWeb web server that allows control characters in HTTP headers, enabling CGI variable manipulation. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-29046 Overview

CVE-2026-29046 is a critical HTTP header injection vulnerability in TinyWeb, a lightweight web server (HTTP, HTTPS) written in Delphi for Win32 systems. Prior to version 2.04, TinyWeb's request header parser fails to properly reject dangerous control characters including CR (Carriage Return), LF (Line Feed), and NUL bytes in header lines and values. Additionally, the parser does not consistently defend against URL-encoded forms of these characters such as %0d, %0a, and %00. This improper input validation (CWE-20) can enable header value confusion across parser boundaries and may create unsafe data within the CGI execution context.

Critical Impact

This vulnerability allows remote attackers to inject arbitrary header values and control characters into CGI environment variables (HTTP_*), potentially enabling HTTP response splitting, cache poisoning, and manipulation of downstream CGI application behavior.

Affected Products

  • TinyWeb prior to version 2.04
  • TinyWeb installations with CGI functionality enabled
  • Windows 32-bit systems running vulnerable TinyWeb versions

Discovery Timeline

  • 2026-03-06 - CVE-2026-29046 published to NVD
  • 2026-03-09 - Last updated in NVD database

Technical Details for CVE-2026-29046

Vulnerability Analysis

The vulnerability exists in TinyWeb's HTTP request header parsing mechanism. When processing incoming HTTP requests, TinyWeb extracts header values and maps them to CGI environment variables prefixed with HTTP_. The parser implementation did not implement strict validation to reject control characters that have special meaning in HTTP protocols and downstream CGI contexts.

The core issue stems from insufficient input sanitization where CR (\r or %0d), LF (\n or %0a), and NUL (\0 or %00) characters are accepted in header values. These characters are significant in HTTP protocol syntax as they define header boundaries. When these characters pass through to CGI environment variables, they can cause header value confusion across different parser boundaries, allowing attackers to manipulate how downstream CGI applications interpret the request context.

Root Cause

The root cause is improper input validation (CWE-20) in the HTTP header parsing logic. TinyWeb's parser failed to implement consistent sanitization across both raw and URL-encoded representations of dangerous control characters. The absence of validation allowed malformed input to propagate through to CGI execution contexts where it could influence application behavior.

Attack Vector

This vulnerability is exploitable remotely over the network without requiring authentication or user interaction. An attacker can craft malicious HTTP requests containing control characters or their URL-encoded equivalents in header values. When TinyWeb processes these requests and passes the header values to CGI applications through environment variables, the injected control characters can:

  1. Split HTTP responses by injecting CRLF sequences
  2. Corrupt CGI environment variable values through embedded NUL bytes
  3. Cause inconsistent parsing behavior between TinyWeb and downstream applications
  4. Potentially enable cache poisoning attacks if caching infrastructure is present

The attack requires only network access to the vulnerable TinyWeb server with CGI functionality enabled. Technical details and the security patch are available in the GitHub Security Advisory.

Detection Methods for CVE-2026-29046

Indicators of Compromise

  • HTTP request logs containing URL-encoded control characters (%0d, %0a, %00) in header values
  • Unusual or malformed HTTP_* environment variable values in CGI application logs
  • Evidence of HTTP response splitting in web server access logs
  • Anomalous cache behavior or cache poisoning indicators in proxy/CDN logs

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block requests containing CRLF sequences or their encoded forms in header values
  • Configure intrusion detection systems (IDS) to alert on HTTP requests with %0d, %0a, or %00 patterns in header fields
  • Deploy SentinelOne Singularity platform for real-time behavioral monitoring of web server processes
  • Establish baseline network traffic patterns and alert on anomalous HTTP header structures

Monitoring Recommendations

  • Enable detailed HTTP access logging including full request headers for forensic analysis
  • Monitor CGI process execution for unexpected behavior or output anomalies
  • Implement log aggregation and SIEM correlation to identify exploitation attempts across multiple systems
  • Review server version information to identify vulnerable TinyWeb installations in your environment

How to Mitigate CVE-2026-29046

Immediate Actions Required

  • Upgrade TinyWeb to version 2.04 or later immediately
  • If immediate patching is not possible, consider disabling CGI functionality until the update can be applied
  • Deploy web application firewall rules to filter malicious control characters in incoming requests
  • Audit existing CGI applications for additional input validation as defense-in-depth

Patch Information

The vulnerability has been addressed in TinyWeb version 2.04. The fix implements strict validation to reject control characters including CR, LF, and NUL in both raw and URL-encoded forms within HTTP header parsing. The patch is available through the GitHub commit.

Organizations should review the GitHub Security Advisory (GHSA-r3gf-pg2c-m7mc) for complete technical details and upgrade guidance.

Workarounds

  • Deploy a reverse proxy with strict HTTP header validation in front of TinyWeb to sanitize incoming requests
  • Implement WAF rules to block requests containing %0d, %0a, %00 or raw control characters in header values
  • Disable CGI functionality if not required for business operations
  • Restrict network access to the TinyWeb server to trusted IP ranges only
bash
# Example WAF/ModSecurity rule to block CRLF injection attempts
SecRule REQUEST_HEADERS "@rx (%0d|%0a|%00|\r|\n)" \
    "id:100001,phase:1,deny,status:400,msg:'CRLF Injection Attempt Blocked'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne