CVE-2026-44546 Overview
CVE-2026-44546 is an HTTP Request Smuggling vulnerability [CWE-444] affecting daphne versions before 4.2.2. Daphne is the reference ASGI HTTP/WebSocket server maintained by the Django project. The flaw arises from a parser differential between Twisted and autobahn during WebSocket handshake processing. An attacker can inject additional headers into the ASGI scope passed to the application by abusing uncommon control bytes that the two parsers handle inconsistently.
Critical Impact
Attackers can smuggle headers into the ASGI scope by embedding \\x0b, \\x0c, \\x1c, \\x1d, \\x1e, or \\x85 bytes within otherwise valid HTTP header values during WebSocket upgrade requests.
Affected Products
- Daphne ASGI server versions before 4.2.2
- Django deployments using Daphne for WebSocket/ASGI handling
- Applications relying on autobahn for WebSocket handshake validation
Discovery Timeline
- 2026-06-03 - CVE-2026-44546 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-44546
Vulnerability Analysis
Daphne reconstructs a raw HTTP request from headers already parsed by Twisted, then forwards the reconstructed bytes to autobahn for WebSocket handshake processing. The two libraries disagree on what constitutes a header line terminator. Twisted treats only canonical CRLF sequences as separators and passes header values containing exotic control bytes through untouched.
Autobahn decodes those header values to Python str and invokes splitlines(), which recognizes a broader set of Unicode line boundaries. Bytes such as \\x0b (vertical tab), \\x0c (form feed), \\x1c, \\x1d, \\x1e (information separators), and \\x85 (next line) are interpreted as line breaks by splitlines() but not by Twisted's parser. This mismatch lets an attacker hide a second header inside what Twisted considers a single header value.
The smuggled header then materializes in the ASGI scope delivered to the downstream application, which may trust headers such as Host, X-Forwarded-For, or authentication tokens. The impact depends on how the application consumes those headers and whether upstream proxies normalize them.
Root Cause
The root cause is inconsistent line-terminator handling between Twisted's HTTP parser and Python's built-in str.splitlines() method used by autobahn. Twisted preserves non-CRLF control bytes inside header values, while splitlines() treats several of them as line boundaries, producing a classic parser differential [CWE-444].
Attack Vector
Exploitation requires sending a crafted WebSocket upgrade request to a Daphne endpoint over the network. The attacker embeds one of the offending bytes followed by a fabricated header name, colon, and value inside a legitimate header value. No authentication or user interaction is required, but attack complexity is high because exploitability depends on the downstream application's reliance on the smuggled header.
The vulnerability mechanism is described in the GitHub Daphne Changelog. No public proof-of-concept code is available at this time.
Detection Methods for CVE-2026-44546
Indicators of Compromise
- WebSocket upgrade requests containing bytes 0x0B, 0x0C, 0x1C, 0x1D, 0x1E, or 0x85 within any HTTP header value.
- HTTP 400 responses generated by Daphne 4.2.2 or later when these bytes are present, indicating attempted exploitation against a patched server.
- Unexpected duplicate or contradictory headers (for example, two Host or X-Forwarded-For values) reaching the ASGI application.
Detection Strategies
- Inspect proxy and load balancer logs for raw header bytes outside the printable ASCII range during Upgrade: websocket requests.
- Add web application firewall rules that reject requests containing the six listed control bytes in any header value.
- Correlate Daphne access logs with application-layer authentication anomalies that follow WebSocket handshake attempts.
Monitoring Recommendations
- Capture the byte-level representation of inbound headers at the edge proxy for forensic review.
- Alert on spikes of 400 responses from Daphne after upgrading to 4.2.2, which may indicate active probing.
- Track the Daphne version in deployment inventories and flag any host still running a release earlier than 4.2.2.
How to Mitigate CVE-2026-44546
Immediate Actions Required
- Upgrade Daphne to version 4.2.2 or later, where the server rejects offending requests with an HTTP 400 response.
- Audit ASGI applications for trust placed in headers that could be smuggled, such as Host, X-Forwarded-For, and custom authentication headers.
- Deploy an upstream reverse proxy that normalizes or strips non-CRLF control bytes from HTTP headers.
Patch Information
The maintainers fixed the issue in Daphne 4.2.2. The patched server now validates every header value and returns a 400 response when any of the bytes \\x0b, \\x0c, \\x1c, \\x1d, \\x1e, or \\x85 are present. Patch details are documented in the GitHub Daphne Changelog.
Workarounds
- Place a hardened reverse proxy such as nginx or HAProxy in front of Daphne and configure it to reject requests with non-standard control bytes in headers.
- Disable WebSocket endpoints temporarily if patching is not immediately feasible and the application does not require them.
- Add middleware in the ASGI application that validates header values against a strict allowlist before acting on them.
# Upgrade Daphne to the fixed release
pip install --upgrade 'daphne>=4.2.2'
# Verify installed version
python -c "import daphne; print(daphne.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
