{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-33555", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-22T18:43:17.553Z", "dateReserved": "2026-03-22T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "HAProxy", "vendor": "HAProxy", "versions": [{"lessThan": "3.3.6", "status": "affected", "version": "2.6", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-130", "description": "CWE-130 Improper Handling of Length Parameter Inconsistency", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-22T14:53:33.583Z"}, "references": [{"url": "https://www.haproxy.org"}, {"url": "https://www.haproxy.com/documentation/haproxy-aloha/changelog/"}, {"url": "https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84"}, {"url": "https://www.mail-archive.com/haproxy@formilux.org/msg46752.html"}, {"url": "https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6", "versionEndExcluding": "3.3.6"}]}]}]}, "adp": [{"references": [{"url": "https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:42:59.239377Z", "id": "CVE-2026-33555", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:43:17.553Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33555", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T18:42:59.239377Z"}}}], "references": [{"url": "https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:22:34.930Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"}}], "affected": [{"vendor": "HAProxy", "product": "HAProxy", "versions": [{"status": "affected", "version": "2.6", "lessThan": "3.3.6", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.haproxy.org"}, {"url": "https://www.haproxy.com/documentation/haproxy-aloha/changelog/"}, {"url": "https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84"}, {"url": "https://www.mail-archive.com/haproxy@formilux.org/msg46752.html"}, {"url": "https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-130", "description": "CWE-130 Improper Handling of Length Parameter Inconsistency"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.3.6", "versionStartIncluding": "2.6"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-22T14:53:33.583Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33555", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:43:17.553Z", "dateReserved": "2026-03-22T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6."}], "id": "CVE-2026-33555", "lastModified": "2026-04-22T19:17:02.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-13T17:16:28.237", "references": [{"source": "cve@mitre.org", "url": "https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84"}, {"source": "cve@mitre.org", "url": "https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html"}, {"source": "cve@mitre.org", "url": "https://www.haproxy.com/documentation/haproxy-aloha/changelog/"}, {"source": "cve@mitre.org", "url": "https://www.haproxy.org"}, {"source": "cve@mitre.org", "url": "https://www.mail-archive.com/haproxy@formilux.org/msg46752.html"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-130"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "haproxy: HAProxy: Request smuggling via HTTP/3 parser desynchronization", "id": "2457920", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457920"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-130", "details": ["A flaw was found in HAProxy. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP/3 request. The HTTP/3 parser fails to verify that the received body length matches the announced content-length when a stream is closed with an empty payload. This desynchronization with the backend server can lead to request smuggling, allowing an attacker to bypass security mechanisms and potentially access unauthorized resources."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33555", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "haproxy", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33555\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33555\nhttps://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84\nhttps://www.haproxy.com/documentation/haproxy-aloha/changelog/\nhttps://www.haproxy.org\nhttps://www.mail-archive.com/haproxy@formilux.org/msg46752.html"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.6,3.3.6)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "HAProxy", "source": "cna", "vendor": "HAProxy"}, "product": "haproxy", "vendor": "haproxy"}], "analysis": {"en": {"generated_at": "2026-04-13T18:52:21.214400+00:00", "value": {"mitigation_remediation": ["Upgrade HAProxy to version 3.3.6 or newer"], "summary": {"action": "Patch Now", "impact": "Request smuggling through HTTP/3 parsing flaw"}, "threat_synthesis": {"affected_systems": "All HAProxy installations running any version from 2.6 up to, but not including, 3.3.6 are affected. The problem is confined to the HTTP/3 implementation; systems that do not expose an HTTP/3 receptor to clients are not at risk through this flaw.", "description_and_impact": "A flaw in HAProxy\u2019s HTTP/3 parser fails to verify that the body length announced by the content-length header matches the actual payload length when a stream ends with an empty frame. The mismatch can desynchronize the communication between the proxy and its backend, potentially allowing an attacker to smuggle requests or manipulate request contents. This type of vulnerability is a classic example of data misinterpretation, identified here as CWE\u2011130.", "risk_and_exploitability": "The CVSS score of 4.0 indicates moderate severity, and the absence of an EPSS value means the exact exploit probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploitation yet. Based on the description, it is inferred that an adversary would need network access to the HAProxy instance\u2019s HTTP/3 interface and the ability to send tailored HTTP/3 frames that terminate a stream with zero payload."}}}}, "created": "2026-04-14T16:21:54.602395+00:00", "title": "HTTP/3 Request Smuggling Vulnerability in HAProxy", "updated": "2026-04-14T16:35:44.207659+00:00", "vendors": ["haproxy", "haproxy$PRODUCT$haproxy"]}