Cloudflare has issued an update to its open-source Pingora framework, releasing version 0.8.0 to address three critical security vulnerabilities. These issues, identified as CVE-2026-2833, CVE-2026-2835, and CVE-2026-2836, posed risks of HTTP request smuggling and cache poisoning, which could severely impact standalone Pingora setups that are directly exposed to the internet.
Vulnerabilities Overview
The vulnerabilities were discovered by security researcher Rajat Raghav through Cloudflare’s Bug Bounty Program. Each flaw carries a high severity rating, with scores reaching up to 9.3 out of 10. If left unresolved, these vulnerabilities allow attackers to bypass critical security controls, such as proxy-level Access Control Lists (ACLs) and Web Application Firewalls (WAFs), potentially hijack user sessions, and compromise upstream connections.
Among the vulnerabilities, one specifically involves an attack known as a desynchronization (desync) attack, where an attacker might send an upgrade request followed by a partial HTTP request to exploit the system.
Details of Each Vulnerability
The first issue, classified as CVE-2026-2833, arises from the way Pingora processes HTTP/1.1 connection upgrade headers. When Pingora receives an “Upgrade” header, it prematurely enters passthrough mode, bypassing backend server confirmation. This vulnerability allows an attacker to append a hidden request, evading security measures and possibly taking control of user sessions.
CVE-2026-2835 centers on Pingora’s handling of HTTP/1.0 requests, where it improperly parses request bodies and “Transfer-Encoding: chunked” headers. This discrepancy leads to connection desynchronization, which attackers could exploit to insert malicious payloads.
The third flaw, CVE-2026-2836, pertains to Pingora’s default cache key construction. The framework’s reliance on the URI path alone, without considering the host header or HTTP scheme, results in cache key collisions. This enables attackers to force cache poisoning, delivering harmful responses to users.
Mitigation and Recommendations
To mitigate these risks, Cloudflare advises all organizations utilizing standalone Pingora proxies to promptly update to version 0.8.0 or later. This update corrects the parsing logic, ensuring stricter compliance with RFC standards.
Additionally, Cloudflare recommends implementing custom cache keys. The latest version eliminates the insecure default cache key, requiring users to create a custom callback incorporating the host header, HTTP scheme, and URI path to maintain cache integrity.
If an immediate update isn’t feasible, Cloudflare suggests temporary measures such as configuring request filters to reject any request with an “Upgrade” header and blocking non-HTTP/1.1 requests or those with invalid Content-Length headers.
For more cybersecurity updates and to feature your stories, follow Cloudflare on Google News, LinkedIn, and X.
