CVE-2026-33555

MEDIUM EPSS 21.8%
Published Apr 13, 20262mo ago · Modified Jun 29, 20266d ago
5.8 CVSS 3.1
Medium
Find Similar
Published Apr 13, 2026 2mo ago
Last Modified Jun 29, 2026 6d ago

Description

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

CVSS Details

Base Score
5.8
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
21.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-130

Affected Products 1

VendorProductVersionRange
haproxyhaproxy*≥2.6.0  –  <3.3.6

References 5

  • github.com https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84
    Patch
  • r3verii.github.io https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html
    ExploitThird Party Advisory
  • haproxy.com https://www.haproxy.com/documentation/haproxy-aloha/changelog/
    Release Notes
  • haproxy.org https://www.haproxy.org
    Product
  • mail-archive.com https://www.mail-archive.com/haproxy@formilux.org/msg46752.html
    Release Notes

Remediation

  • github.com https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84
    Patch