Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.
Endigest AI Core Summary
This post explains three HTTP/1.x request smuggling vulnerabilities (CVE-2026-2833, CVE-2026-2835, CVE-2026-2836) found in the Pingora open source proxy framework, patched in version 0.8.0.
•Vulnerability 1: Pingora incorrectly forwarded bytes after an Upgrade header in passthrough mode before receiving a 101 response, allowing request smuggling past ACL/WAF logic.
•Vulnerability 2: A CL.TE desync attack exploited improper handling of HTTP/1.0 + Transfer-Encoding headers, where request bodies were incorrectly treated as close-delimited instead of being rejected.
•Vulnerability 3: Default CacheKey construction only used the URI path, allowing different hosts sharing the same path to poison each other's cache.
•Fixes include strict 101-gated upgrade passthrough, rejection of invalid HTTP/1.0+TE and ambiguous Content-Length, and removal of the naive default CacheKey.
•Cloudflare's own CDN was not affected due to architectural isolation; standalone Pingora deployments exposed to the i
This summary was automatically generated by AI based on the original article and may not be fully accurate.
Cloudflare
The Hacker News