← Back
Cloudflare
Cloudflare patches three HTTP request smuggling vulnerabilities in Pingora 0.8.0
Cloudflare · securityreleasebugfixopen-source · blog.cloudflare.com ↗

Three HTTP Request Smuggling Vulnerabilities Patched

Cloudflare has released Pingora 0.8.0 to fix three critical HTTP/1.x request smuggling vulnerabilities (CVE-2026-2833, CVE-2026-2835, CVE-2026-2836) discovered in December 2025. The vulnerabilities were responsibly reported by researcher Rajat Raghav through Cloudflare's Bug Bounty Program.

Impact and Risk

These vulnerabilities affect standalone Pingora deployments used as ingress proxies and could enable attackers to:

  • Bypass proxy-layer security controls including ACLs and WAF logic
  • Execute desync attacks causing HTTP request/response desynchronization between proxy and backends, enabling cross-user session hijacking and credential theft
  • Poison shared caches at the proxy layer retrieving content from shared backends

Cloudflare's own CDN infrastructure was not affected due to its network architecture—Pingora is not used as an ingress proxy in production.

Vulnerability Details

Premature Upgrade Without 101 Handshake

The first vulnerability involved Pingora incorrectly entering "passthrough" mode upon receiving an Upgrade header, before the backend server accepted the upgrade with a 101 Switching Protocols response. An attacker could pipeline a second HTTP request after the upgrade request, which Pingora would treat as part of the upgrade stream rather than as a separate HTTP request. If the backend declined the upgrade (returning 200 OK), Pingora and the backend would become desynchronized, allowing attackers to poison connections and cause subsequent requests from different users to receive attacker-controlled responses.

Additional Attack Vectors

The vulnerability report included additional HTTP/1 attack payloads that could cause similar desync conditions through non-RFC-compliant interpretations of request body lengths. Pingora's design intentionally accepts edge-case HTTP requests that are not strictly RFC-compliant to support customers with legacy HTTP stacks, but this leniency created security gaps.

Remediation

All users of the Pingora framework are strongly recommended to upgrade to version 0.8.0 immediately. The patch corrects Pingora's HTTP/1 stack to:

  • Only enter passthrough mode after receiving an explicit 101 Switching Protocols response
  • Properly handle non-101 responses by continuing HTTP request parsing
  • Implement stricter request body length interpretations to prevent desync conditions

Patches are available in the Pingora 0.8.0 release on GitHub.