CVE-2026-50052 Overview
CVE-2026-50052 is an HTTP Request Smuggling vulnerability [CWE-444] affecting Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3. A deficiency in HTTP/2 request parsing allows attackers to launch a backend request desync attack against the cache. Successful exploitation can lead to cache poisoning, authentication bypass, and potential information disclosure or manipulation. The vulnerability is only exposed when HTTP/2 support is explicitly enabled by including +http2 in the feature parameter. HTTP/2 support is disabled by default, which limits real-world exposure.
Critical Impact
An unauthenticated network attacker can desynchronize HTTP/2 requests with backend origins to poison cached responses, bypass authentication checks, or manipulate served content.
Affected Products
- Vinyl Cache versions prior to 9.0.1
- Varnish Cache versions prior to 9.0.3
- Deployments where the feature parameter contains +http2
Discovery Timeline
- 2026-06-03 - CVE-2026-50052 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-50052
Vulnerability Analysis
The vulnerability resides in how Vinyl Cache and Varnish Cache parse incoming HTTP/2 frames before translating them into HTTP/1.1 requests forwarded to the backend. Inconsistencies between the cache's interpretation of an HTTP/2 request and the backend's interpretation of the resulting HTTP/1.1 request create a desync condition. An attacker can craft an HTTP/2 request that the cache views as a single request, but the backend processes as two distinct requests. The smuggled second request is then attributed to the next legitimate user's connection, enabling response queue manipulation.
Root Cause
The root cause is improper validation of HTTP/2 pseudo-headers, message framing, or header field handling during the HTTP/2 to HTTP/1.1 conversion. This category of flaw is tracked as CWE-444: Inconsistent Interpretation of HTTP Requests. The cache and the upstream server disagree on request boundaries, which is the foundational condition for request smuggling.
Attack Vector
Exploitation requires network access to the cache and that HTTP/2 is enabled through the +http2 feature flag. An attacker sends a specially crafted HTTP/2 request that the cache forwards in a way that splits into two backend requests. The smuggled request can poison cached entries for arbitrary URLs, hijack responses intended for other users, or bypass authentication boundaries enforced only by the cache. No prior credentials are required, but user interaction may be necessary for certain attack chains. Refer to the Vinyl Cache Security Advisory for technical specifics.
Detection Methods for CVE-2026-50052
Indicators of Compromise
- Cached responses served to users that contain content from unrelated requests or sessions
- Unexpected backend access log entries showing requests that were never sent by clients
- HTTP/2 requests with anomalous pseudo-headers, oversized header blocks, or unusual Content-Length and Transfer-Encoding combinations forwarded as HTTP/1.1
- Authentication-protected resources returning successful responses to unauthenticated clients
Detection Strategies
- Inspect Vinyl Cache and Varnish Cache configuration for the presence of +http2 in the feature parameter to determine exposure
- Correlate frontend HTTP/2 request counts with backend HTTP/1.1 request counts; a persistent mismatch suggests smuggling activity
- Apply web application firewall rules that flag malformed HTTP/2 headers or invalid pseudo-header use
Monitoring Recommendations
- Enable verbose VCL logging for request and response headers, then alert on mismatched Host headers and unexpected method or path values
- Monitor cache hit ratios and content-type distributions for sudden anomalies that may indicate cache poisoning
- Track 4xx and 5xx response spikes from backends, which often accompany active desync probing
How to Mitigate CVE-2026-50052
Immediate Actions Required
- Upgrade Vinyl Cache to version 9.0.1 or later and Varnish Cache to version 9.0.3 or later
- If patching is not immediately possible, disable HTTP/2 by removing +http2 from the feature parameter
- Audit cache configurations across all environments to identify instances where HTTP/2 has been explicitly enabled
Patch Information
Vendors have released fixed versions: Vinyl Cache 9.0.1 and Varnish Cache 9.0.3. Both releases correct the HTTP/2 request parsing logic that allowed request desynchronization. Review the Vinyl Cache Security Advisory for upgrade instructions and validation steps.
Workarounds
- Disable HTTP/2 support entirely until the upgrade is applied, since the vulnerability is not reachable without +http2
- Terminate HTTP/2 at an upstream load balancer or reverse proxy that is not affected, then forward HTTP/1.1 to the cache
- Restrict cache access to trusted networks where feasible to reduce the attack surface
# Configuration example: disable HTTP/2 feature flag on the cache daemon
varnishd -p feature=-http2 -a :80 -f /etc/varnish/default.vcl
# Verify the running feature set
varnishadm param.show feature
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

