Three Request Smuggling Vulnerabilities Patched

Cloudflare has released Pingora 0.8.0 with fixes for three HTTP/1.x request smuggling vulnerabilities (CVE-2026-2833, CVE-2026-2835, CVE-2026-2836) discovered in December 2025. The vulnerabilities were responsibly reported by security researcher Rajat Raghav through Cloudflare's Bug Bounty Program.

Vulnerability Details

The vulnerabilities manifest in three attack scenarios when Pingora is used as an ingress proxy:

1. Premature Upgrade Switching: Pingora would enter passthrough mode for Upgrade requests before receiving a 101 Switching Protocols response from the backend, allowing attackers to pipeline a second HTTP request that bypasses proxy-layer security controls.

2. Content-Length Misinterpretation: The framework had non-RFC-compliant interpretations of HTTP/1 request body lengths, enabling desync attacks where the proxy and backend disagreed about request boundaries.

3. Cache and Session Hijacking: Successful desync attacks could poison proxy caches or hijack user sessions through response mixing.

Impact and Scope

Cloudflare's CDN and customer traffic were not affected. The vulnerabilities only impact standalone Pingora deployments exposed to the Internet. Cloudflare's architecture does not use Pingora as an ingress proxy, and production traffic did not trigger these misinterpretations.

However, the potential impacts for affected deployments are serious:

• Bypass of proxy-layer security controls and WAF rules
• Cross-user hijacking attacks enabling credential or session theft
• Cache poisoning through desynced requests

Recommended Actions

All users of the Pingora open-source framework should upgrade to Pingora 0.8.0 as soon as possible. The patches include proper RFC 9110 compliance for the Upgrade header handshake and corrected request body length interpretation. Cloudflare customers require no action and have not experienced any impact from these vulnerabilities.