Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50052

CVE-2026-50052: Varnish Cache Auth Bypass Vulnerability

CVE-2026-50052 is an authentication bypass flaw in Varnish Cache that exploits HTTP/2 parsing to enable request smuggling attacks. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-50052 Overview

CVE-2026-50052 is an HTTP Request Smuggling vulnerability [CWE-444] affecting Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3. A deficiency in HTTP/2 request parsing allows attackers to launch a backend request desync attack against the cache. Successful exploitation can lead to cache poisoning, authentication bypass, and potential information disclosure or manipulation. The vulnerability is only exposed when HTTP/2 support is explicitly enabled by including +http2 in the feature parameter. HTTP/2 support is disabled by default, which limits real-world exposure.

Critical Impact

An unauthenticated network attacker can desynchronize HTTP/2 requests with backend origins to poison cached responses, bypass authentication checks, or manipulate served content.

Affected Products

  • Vinyl Cache versions prior to 9.0.1
  • Varnish Cache versions prior to 9.0.3
  • Deployments where the feature parameter contains +http2

Discovery Timeline

  • 2026-06-03 - CVE-2026-50052 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-50052

Vulnerability Analysis

The vulnerability resides in how Vinyl Cache and Varnish Cache parse incoming HTTP/2 frames before translating them into HTTP/1.1 requests forwarded to the backend. Inconsistencies between the cache's interpretation of an HTTP/2 request and the backend's interpretation of the resulting HTTP/1.1 request create a desync condition. An attacker can craft an HTTP/2 request that the cache views as a single request, but the backend processes as two distinct requests. The smuggled second request is then attributed to the next legitimate user's connection, enabling response queue manipulation.

Root Cause

The root cause is improper validation of HTTP/2 pseudo-headers, message framing, or header field handling during the HTTP/2 to HTTP/1.1 conversion. This category of flaw is tracked as CWE-444: Inconsistent Interpretation of HTTP Requests. The cache and the upstream server disagree on request boundaries, which is the foundational condition for request smuggling.

Attack Vector

Exploitation requires network access to the cache and that HTTP/2 is enabled through the +http2 feature flag. An attacker sends a specially crafted HTTP/2 request that the cache forwards in a way that splits into two backend requests. The smuggled request can poison cached entries for arbitrary URLs, hijack responses intended for other users, or bypass authentication boundaries enforced only by the cache. No prior credentials are required, but user interaction may be necessary for certain attack chains. Refer to the Vinyl Cache Security Advisory for technical specifics.

Detection Methods for CVE-2026-50052

Indicators of Compromise

  • Cached responses served to users that contain content from unrelated requests or sessions
  • Unexpected backend access log entries showing requests that were never sent by clients
  • HTTP/2 requests with anomalous pseudo-headers, oversized header blocks, or unusual Content-Length and Transfer-Encoding combinations forwarded as HTTP/1.1
  • Authentication-protected resources returning successful responses to unauthenticated clients

Detection Strategies

  • Inspect Vinyl Cache and Varnish Cache configuration for the presence of +http2 in the feature parameter to determine exposure
  • Correlate frontend HTTP/2 request counts with backend HTTP/1.1 request counts; a persistent mismatch suggests smuggling activity
  • Apply web application firewall rules that flag malformed HTTP/2 headers or invalid pseudo-header use

Monitoring Recommendations

  • Enable verbose VCL logging for request and response headers, then alert on mismatched Host headers and unexpected method or path values
  • Monitor cache hit ratios and content-type distributions for sudden anomalies that may indicate cache poisoning
  • Track 4xx and 5xx response spikes from backends, which often accompany active desync probing

How to Mitigate CVE-2026-50052

Immediate Actions Required

  • Upgrade Vinyl Cache to version 9.0.1 or later and Varnish Cache to version 9.0.3 or later
  • If patching is not immediately possible, disable HTTP/2 by removing +http2 from the feature parameter
  • Audit cache configurations across all environments to identify instances where HTTP/2 has been explicitly enabled

Patch Information

Vendors have released fixed versions: Vinyl Cache 9.0.1 and Varnish Cache 9.0.3. Both releases correct the HTTP/2 request parsing logic that allowed request desynchronization. Review the Vinyl Cache Security Advisory for upgrade instructions and validation steps.

Workarounds

  • Disable HTTP/2 support entirely until the upgrade is applied, since the vulnerability is not reachable without +http2
  • Terminate HTTP/2 at an upstream load balancer or reverse proxy that is not affected, then forward HTTP/1.1 to the cache
  • Restrict cache access to trusted networks where feasible to reduce the attack surface
bash
# Configuration example: disable HTTP/2 feature flag on the cache daemon
varnishd -p feature=-http2 -a :80 -f /etc/varnish/default.vcl

# Verify the running feature set
varnishadm param.show feature

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.