CVE-2026-54388

Source
https://cve.org/CVERecord?id=CVE-2026-54388
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54388.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54388
Downstream
Related
Published
2026-06-17T19:59:00Z
Modified
2026-07-08T08:13:48.357393118Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers
Details

Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54388.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-444"
    ]
}
References

Affected packages

Git / github.com/tinyproxy/tinyproxy

Affected ranges

Type
GIT
Repo
https://github.com/tinyproxy/tinyproxy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.11.3"
        }
    ]
}

Affected versions

1.*
1.10.0
1.11.0
1.11.0-rc1
1.11.1
1.11.2
1.11.3
1.7.1
1.8.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54388.json"