Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33555

CVE-2026-33555: HAProxy HTTP/3 Request Smuggling Flaw

CVE-2026-33555 is a request smuggling vulnerability in HAProxy's HTTP/3 parser that causes desynchronization with backend servers. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2026-33555 Overview

CVE-2026-33555 is an HTTP request smuggling vulnerability in HAProxy versions prior to 3.3.6. The HTTP/3 parser fails to verify that the received body length matches a previously announced Content-Length header when the stream terminates via a frame carrying an empty payload. This desynchronization between HAProxy and the backend server enables request smuggling attacks. The earliest affected release is HAProxy 2.6, and the issue is tracked under CWE-130: Improper Handling of Length Parameter Inconsistency.

Critical Impact

Attackers can desynchronize HAProxy from backend servers over HTTP/3, smuggling crafted requests that bypass front-end security controls.

Affected Products

  • HAProxy versions 2.6 through 3.3.5
  • HAProxy Enterprise builds incorporating the affected HTTP/3 parser
  • HAProxy ALOHA appliances using vulnerable HAProxy core versions

Discovery Timeline

  • 2026-04-13 - CVE-2026-33555 published to the National Vulnerability Database
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-33555

Vulnerability Analysis

The flaw resides in HAProxy's HTTP/3 (H3) request parser. When a client transmits an HTTP/3 request with a Content-Length header that declares a non-zero body length, HAProxy expects DATA frames containing the corresponding payload. The parser, however, does not enforce that the cumulative body bytes received match the declared Content-Length when the stream is closed by a frame carrying an empty payload and the FIN flag set.

This missing check produces a length-parameter inconsistency between what HAProxy forwards downstream and what the backend server processes. Because HAProxy and the origin disagree on where one request ends and the next begins, an attacker can prepend or queue smuggled HTTP requests onto another user's connection. Request smuggling can bypass front-end authorization, poison shared caches, hijack sessions, and exfiltrate or modify responses intended for other clients.

Root Cause

The root cause is improper handling of the length parameter [CWE-130]. The HTTP/3 standalone FIN code path closes the stream without validating that bytes_received == announced_content_length. The upstream fix, applied in commit 05a29544, introduces the missing length check so that mismatched streams are rejected rather than forwarded.

Attack Vector

Exploitation requires network access to an HAProxy frontend that terminates HTTP/3 traffic and proxies it to an HTTP/1.1 or HTTP/2 backend. The attacker sends a QUIC-based HTTP/3 request that advertises a Content-Length larger than the actual body, then closes the stream with an empty-payload FIN frame. HAProxy forwards the truncated request to the backend, which interprets trailing bytes from subsequent legitimate requests as part of the smuggled body, enabling cross-request contamination. Refer to the R3verii technical writeup for protocol-level details.

No verified public proof-of-concept code is available. The vulnerability mechanism is described in the linked advisory and patch.

Detection Methods for CVE-2026-33555

Indicators of Compromise

  • HTTP/3 streams closed by an empty-payload FIN frame where received body bytes do not equal the request's Content-Length value.
  • Backend access logs containing partial or concatenated HTTP requests that do not correspond to any single front-end request ID.
  • Unexpected HTTP verbs or paths appearing in backend logs immediately after legitimate HTTP/3 requests from the same upstream connection.

Detection Strategies

  • Compare HAProxy frontend request logs against backend application logs and alert on request count or URI mismatches.
  • Inspect QUIC and HTTP/3 telemetry for streams that terminate with zero-byte DATA frames after declaring a non-zero Content-Length.
  • Deploy HTTP request smuggling signatures in upstream web application firewalls and intrusion detection systems.

Monitoring Recommendations

  • Enable HAProxy's option httplog and forward logs to a SIEM for correlation across the proxy and backend tiers.
  • Track HAProxy version strings across the fleet and alert when any host runs a build older than 3.3.6.
  • Monitor for abnormal spikes in 400-class responses or backend connection resets that may indicate smuggling attempts.

How to Mitigate CVE-2026-33555

Immediate Actions Required

  • Upgrade HAProxy to version 3.3.6 or later on all load balancers terminating HTTP/3 traffic.
  • Audit HAProxy ALOHA appliances against the HAProxy ALOHA changelog and apply the corresponding firmware update.
  • Review backend access logs for anomalies dating back to the deployment of HTTP/3 on affected proxies.

Patch Information

The issue is fixed in HAProxy 3.3.6. The corrective patch is applied in upstream commit 05a295441c621089ffa4318daf0dbca2dd756a84, which adds the missing body-length consistency check in the HTTP/3 parser. The vendor announcement is available on the HAProxy mailing list archive.

Workarounds

  • Disable HTTP/3 (QUIC) listeners on HAProxy frontends until the patched version is deployed.
  • Restrict HTTP/3 acceptance to trusted networks via firewall rules limiting UDP/443 reachability.
  • Place an HTTP/3-aware web application firewall in front of HAProxy to enforce strict Content-Length validation.
bash
# Temporarily disable QUIC/HTTP/3 in haproxy.cfg until upgrade to 3.3.6
frontend https-in
    bind :443 ssl crt /etc/haproxy/certs/site.pem
    # Remove or comment out the QUIC bind line below
    # bind quic4@:443 ssl crt /etc/haproxy/certs/site.pem alpn h3
    default_backend app_servers

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.