CVE-2026-33555 Overview
An HTTP Request Smuggling vulnerability was discovered in HAProxy before version 3.3.6. The HTTP/3 parser fails to validate that the received body length matches a previously announced Content-Length header when the stream is closed via a frame with an empty payload. This validation gap can cause desynchronization issues with backend servers and could be exploited for request smuggling attacks. The earliest affected version is 2.6.
Critical Impact
Attackers can exploit this HTTP/3 parser flaw to bypass security controls, poison web caches, or hijack user sessions through request smuggling techniques.
Affected Products
- HAProxy versions 2.6 through 3.3.5
- HAProxy Aloha (see vendor changelog for specific versions)
- Any deployment using HTTP/3 (QUIC) with Content-Length headers
Discovery Timeline
- 2026-04-13 - CVE-2026-33555 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-33555
Vulnerability Analysis
This vulnerability stems from improper length checking (CWE-130) in the HTTP/3 protocol implementation within HAProxy. The HTTP/3 parser processes incoming QUIC streams and handles Content-Length headers to validate message body sizes. However, when a stream terminates with an empty FIN frame, the parser fails to verify that the total received body length matches the declared Content-Length value.
This oversight creates a desynchronization condition between the HAProxy frontend and backend servers. When HAProxy forwards a request with an incorrect body length interpretation, the backend server may parse subsequent data as a new request, enabling classic HTTP Request Smuggling attacks.
Root Cause
The root cause lies in the h3.c source file where the HTTP/3 stream handling logic processes FIN frames. When an empty FIN frame is received on a bidirectional QUIC stream, the code path that checks body size conformance against Content-Length headers was not being invoked. This allowed streams to complete successfully even when the actual body data received did not match the advertised length.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious HTTP/3 requests with mismatched Content-Length headers and body data, then close the stream with an empty FIN frame. This can be used to:
- Smuggle additional HTTP requests to backend servers
- Poison shared caches with malicious content
- Bypass frontend security filters and WAF rules
- Hijack responses intended for other users
// Security patch from HAProxy commit
// Source: https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84
if (!b_data(b) && fin && quic_stream_is_bidi(qcs->id)) {
TRACE_PROTO("received FIN without data", H3_EV_RX_FRAME, qcs->qcc->conn, qcs);
+
+ /* FIN received, ensure body length is conform to any content-length header. */
+ if ((h3s->flags & H3_SF_HAVE_CLEN) && h3_check_body_size(qcs, 1)) {
+ qcc_abort_stream_read(qcs);
+ qcc_reset_stream(qcs, h3s->err);
+ goto done;
+ }
+
if (qcs_http_handle_standalone_fin(qcs)) {
TRACE_ERROR("cannot set EOM", H3_EV_RX_FRAME, qcs->qcc->conn, qcs);
qcc_set_error(qcs->qcc, H3_ERR_INTERNAL_ERROR, 1);
Source: GitHub HAProxy Commit
Detection Methods for CVE-2026-33555
Indicators of Compromise
- HTTP/3 streams terminating with empty FIN frames where body length doesn't match Content-Length header
- Anomalous backend request patterns or unexpected request sequences
- Web cache entries with suspicious or unexpected content
- Log entries showing request body size mismatches on HTTP/3 connections
Detection Strategies
- Monitor HAProxy logs for HTTP/3 protocol errors, particularly H3_ERR_INTERNAL_ERROR events
- Implement backend request logging to identify smuggled or desynchronized requests
- Deploy network monitoring to analyze QUIC/HTTP/3 traffic for malformed frame sequences
- Use SentinelOne Singularity to detect anomalous process behavior on HAProxy servers
Monitoring Recommendations
- Enable detailed HTTP/3 tracing in HAProxy configuration for forensic analysis
- Configure alerts for sudden increases in HTTP/3 protocol errors or stream resets
- Monitor backend servers for unexpected request patterns that may indicate smuggled requests
- Review cache hit/miss ratios for anomalies that could indicate cache poisoning attempts
How to Mitigate CVE-2026-33555
Immediate Actions Required
- Upgrade HAProxy to version 3.3.6 or later immediately
- If upgrade is not possible, consider temporarily disabling HTTP/3 support
- Review HAProxy configurations to ensure proper logging is enabled for HTTP/3 connections
- Audit backend servers for any signs of exploitation or smuggled requests
Patch Information
The vulnerability has been patched in HAProxy version 3.3.6. The fix adds proper body length validation when processing FIN frames on HTTP/3 streams. The patch introduces a check for the H3_SF_HAVE_CLEN flag and calls h3_check_body_size() to validate conformance before allowing the stream to complete successfully.
For detailed patch information, refer to the GitHub HAProxy Commit and the HAProxy Aloha Changelog.
Workarounds
- Disable HTTP/3 support temporarily by removing h3 from bind line options
- Configure backend servers to strictly validate Content-Length headers against actual body sizes
- Implement additional WAF rules to detect and block potential request smuggling patterns
- Use HTTP/2 or HTTP/1.1 as fallback protocols until patching is complete
# Configuration example - Disable HTTP/3 temporarily
# In haproxy.cfg, remove 'h3' option from frontend bind lines
# Before (vulnerable if HTTP/3 is enabled):
# bind :443 ssl crt /etc/ssl/cert.pem alpn h3,h2,http/1.1
# After (HTTP/3 disabled as workaround):
bind :443 ssl crt /etc/ssl/cert.pem alpn h2,http/1.1
# Restart HAProxy to apply changes
systemctl restart haproxy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
