5.8

CVE-2026-33555

Exploit
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HaproxyHaproxy Version >= 2.6.0 < 3.3.6
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.3% 0.213
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.8 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
cve@mitre.org 4 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CWE-130 Improper Handling of Length Parameter Inconsistency

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

https://www.haproxy.org
Product
https://www.haproxy.com/documentation/haproxy-aloha/changelog/
Release Notes
https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84
Patch
https://www.mail-archive.com/haproxy@formilux.org/msg46752.html
Release Notes
https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html
Third Party Advisory
Exploit