CVE-2026-1527

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-1527

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1527.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-1527

Aliases

GHSA-4992-7rv2-5pvq

Downstream

DEBIAN-CVE-2026-1527

MINI-3fgx-hccc-hm6q

MINI-4rgr-2f52-j36h

MINI-fcfc-f83v-fq5c

MINI-g4mv-4p5v-f7mp

MINI-h444-fq94-jfc2

MINI-h5xc-966m-ccr9

MINI-m554-ppx8-r58x

MINI-phmp-vjcv-cqrx

MINI-pmg3-6ch3-v3f3

UBUNTU-CVE-2026-1527

Related

CGA-474r-8wcx-87w5

Published

2026-03-12T21:16:25.137Z

Modified

2026-03-18T22:58:59.270508Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

Inject arbitrary HTTP headers
Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121 if (upgrade) { header += connection: upgrade\r\nupgrade: ${upgrade}\r\n }

References

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1527.json"