{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-34475", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-03-27T19:40:27.986Z", "datePublished": "2026-03-27T19:40:28.397Z", "dateUpdated": "2026-03-27T20:01:11.327Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Varnish Cache", "vendor": "varnish-software", "versions": [{"lessThan": "6.0.17 LTS", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "8.0.1", "status": "affected", "version": "7.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-180", "description": "CWE-180 Incorrect Behavior Order: Validate Before Canonicalize", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T19:47:58.919Z"}, "references": [{"url": "https://vinyl-cache.org/security/VSV00018.html"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.17 LTS"}, {"vulnerable": true, "criteria": "cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "8.0.1"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:00:56.066373Z", "id": "CVE-2026-34475", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:01:11.327Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34475", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T20:00:56.066373Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:01:02.764Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "varnish-software", "product": "Varnish Cache", "versions": [{"status": "affected", "version": "0", "lessThan": "6.0.17 LTS", "versionType": "custom"}, {"status": "affected", "version": "7.0.0", "lessThan": "8.0.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://vinyl-cache.org/security/VSV00018.html"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-180", "description": "CWE-180 Incorrect Behavior Order: Validate Before Canonicalize"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.0.17 LTS"}, {"criteria": "cpe:2.3:a:varnish-software:varnish_cache:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "8.0.1", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T19:47:58.919Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34475", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:01:11.327Z", "dateReserved": "2026-03-27T19:40:27.986Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-27T19:40:28.397Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:*:*:*:*:*:*:*:*", "matchCriteriaId": "E53A64C0-FC22-40B5-8C3B-6288B44AC3FC", "versionEndIncluding": "6.0.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r1:*:*:*:*:*:*", "matchCriteriaId": "F24D68B5-362E-4797-B6DE-C19A2893186C", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r10:*:*:*:*:*:*", "matchCriteriaId": "910BAD01-26E5-4D12-AA23-0BD2D48F229C", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r11:*:*:*:*:*:*", "matchCriteriaId": "BCF39307-6F25-4D97-8901-EE1A80A66AD9", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r2:*:*:*:*:*:*", "matchCriteriaId": "05E529DF-DEE1-4A62-998B-CA312DF888FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r3:*:*:*:*:*:*", "matchCriteriaId": "8AB27B34-2951-4755-851C-7C942DAFB6C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r4:*:*:*:*:*:*", "matchCriteriaId": "18A22D42-B038-4E09-92DD-8AFD2F51A340", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r5:*:*:*:*:*:*", "matchCriteriaId": "FE76D616-3AA8-4D9A-9D41-9AE35FE20DBC", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r6:*:*:*:*:*:*", "matchCriteriaId": "9C5610CF-1FE4-4DF8-8D49-7C0CCF0359E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r7:*:*:*:*:*:*", "matchCriteriaId": "27B776B2-9C38-45BE-89E4-ECDEEAE538A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r8:*:*:*:*:*:*", "matchCriteriaId": "ED3CA600-C88D-4825-8C36-E052822AF59F", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish-software:varnish_enterprise:6.0.16:r9:*:*:*:*:*:*", "matchCriteriaId": "6B1D57B1-9771-4195-9EE3-B26EA776FB6B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vinyl-cache:vinyl_cache:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C1ED7AA-6E2F-4C75-82D3-D7C2CB125C48", "versionEndExcluding": "8.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass."}], "id": "CVE-2026-34475", "lastModified": "2026-04-22T19:40:02.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T20:16:36.390", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://vinyl-cache.org/security/VSV00018.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-180"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "Varnish Cache: Varnish Cache and Varnish Enterprise: Cache poisoning and authentication bypass via unchecked URL handling", "id": "2452408", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452408"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-1286", "details": ["Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.", "A flaw was found in Varnish Cache and Varnish Enterprise. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 requests with a path of `/` in the URL. This mishandling of URLs, specifically in unchecked `req.url` scenarios, could lead to cache poisoning, where an attacker manipulates cached content, or an authentication bypass, allowing unauthorized access."], "name": "CVE-2026-34475", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "redhat-user-workloads/varnish-7-10-0", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "redhat-user-workloads/varnish-7-10-1", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "varnish", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "varnish-modules", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "redhat-user-workloads/varnish-6-8-10", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "varnish:6/varnish", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "varnish:6/varnish-modules", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "redhat-user-workloads/varnish-6-9-6", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "redhat-user-workloads/varnish-6-9-7", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "varnish", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "varnish-modules", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-27T19:40:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34475\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34475\nhttps://vinyl-cache.org/security/VSV00018.html"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.0.17 LTS)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,8.0.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Varnish Cache", "source": "cna", "vendor": "varnish-software"}, "product": "varnish_cache", "vendor": "varnish-software"}], "analysis": {"en": {"generated_at": "2026-04-02T02:36:28.346667+00:00", "value": {"mitigation_remediation": ["Upgrade Varnish Cache to version 8.0.1 or later or Varnish Enterprise to 6.0.16r12 or later", "Reconfigure the caching layer to ignore or sanitize URLs with a single forward slash for HTTP/1.1 traffic"], "summary": {"action": "Immediate Patch", "impact": "Authentication bypass and cache poisoning"}, "threat_synthesis": {"affected_systems": "Varnish Cache versions prior to 8.0.1 and Varnish Enterprise prior to 6.0.16r12 are affected. Only these legacy releases are at risk; newer releases are not vulnerable.", "description_and_impact": "Varnish software's caching engine fails to properly normalize request URLs that contain a forward\u2011slash path when serving HTTP/1.1 traffic. As a result, an attacker can craft a request that causes the proxy to cache or serve content that it would normally treat as distinct to other clients. This flaw can be leveraged to inject false cache entries or to bypass authentication mechanisms that rely on cache validation, potentially allowing unauthorized access to protected content.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.4, indicating moderate risk, and has an EPSS score of less than 1\u202f%, suggesting a low probability of mass exploitation. It is not currently listed in the CISA KEV catalog. Exploitation requires remote delivery of a crafted HTTP/1.1 request targeting the vulnerable server, which an attacker can easily embed in malicious traffic. The impact, however, is limited to the realm of cache poisoning and authentication bypass for requests that trigger the unchecked URL handler."}}}}, "created": "2026-03-29T20:30:25.374332+00:00", "updated": "2026-04-02T07:55:25.620508+00:00", "vendors": ["varnish-software", "varnish-software$PRODUCT$varnish_cache"]}