Full Report
Today we’re disclosing request smuggling vulnerabilities when our open source Pingora service is deployed as an ingress proxy and how we’ve fixed them in Pingora 0.8.0.
Analysis Summary
# Vulnerability: HTTP/1.x Request Smuggling in Pingora OSS
## CVE Details
- **CVE ID:** CVE-2026-2833, CVE-2026-2835, CVE-2026-2836
- **CVSS Score:** Not explicitly listed in article (estimated High based on impact)
- **CWE:** CWE-444 (Inconsistent Interpretation of HTTP Requests/'HTTP Request Smuggling')
## Affected Systems
- **Products:** Pingora Open Source Framework
- **Versions:** All versions prior to 0.8.0
- **Configurations:** Standalone Pingora deployments used as an **ingress proxy** exposed to the Internet and connecting to shared backends (e.g., Node/Express, uvicorn).
* *Note: Cloudflare’s CDN was not affected as it does not use Pingora in an ingress configuration.*
## Vulnerability Description
Pingora lacked strict RFC compliance in its HTTP/1.x stack, leading to three specific desynchronization flaws:
1. **Premature Upgrade (CVE-2026-2833):** Pingora entered "passthrough" mode immediately upon seeing an `Upgrade` header, before receiving a `101 Switching Protocols` response from the backend. This allowed attackers to pipeline a "smuggled" request immediately following the upgrade request.
2. **Transfer-Encoding/Content-Length Inconsistencies (CVE-2026-2835):** Modern HTTP/1.1 parsing errors allowed attackers to manipulate how the proxy and backend determined the end of a request body.
3. **Ambiguous Request Parsing (CVE-2026-2836):** Issues related to HTTP/1.0 parsing and default cache key construction could lead to cache poisoning.
## Exploitation
- **Status:** PoC available (provided by researcher Rajat Raghav); No known exploitation in the wild at time of report.
- **Complexity:** Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Session hijacking and credential theft via cross-user desync).
- **Integrity:** High (Cache poisoning and bypass of proxy-layer security controls).
- **Availability:** Low (Potential for service disruption via malformed requests).
## Remediation
### Patches
- **Upgrade to Pingora 0.8.0** or later. This version introduces stricter RFC compliance checks and removes the vulnerable "passthrough" behavior before a 101 handshake.
### Workarounds
- No specific software workarounds provided; immediate upgrade is the recommended course of action for exposed ingress proxies.
## Detection
- **Indicators of Compromise:** Monitor logs for inconsistent Request/Response counts on single TCP connections.
- **Detection methods:** Inspect incoming traffic for high volumes of `Upgrade` headers paired with immediate pipelined requests, or requests containing both `Transfer-Encoding` and `Content-Length` headers.
## References
- **Vendor Advisory:** hxxps://blog[.]cloudflare[.]com/pingora-oss-smuggling-vulnerabilities/
- **GitHub Release:** hxxps://github[.]com/cloudflare/pingora/releases/tag/0.8.0
- **Researcher Blog:** hxxps://xclow3n[.]github[.]io/post/6