CVE-2026-54387

Source
https://cve.org/CVERecord?id=CVE-2026-54387
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54387.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54387
Downstream
Related
Published
2026-06-17T19:48:37.904Z
Modified
2026-07-08T08:13:48.350766188Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization
Details

Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54387.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-444"
    ]
}
References

Affected packages

Git / github.com/tinyproxy/tinyproxy

Affected ranges

Type
GIT
Repo
https://github.com/tinyproxy/tinyproxy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.11.3"
        }
    ]
}

Affected versions

1.*
1.10.0
1.11.0
1.11.0-rc1
1.11.1
1.11.2
1.7.1
1.8.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54387.json"