Pingora fixes critical HTTP request smuggling in HTTP/1.0 parsing
TL;DR — A critical HTTP request smuggling flaw in Pingora's HTTP/1.0 parser can desync proxy and backend request framing, enabling request routing attacks.
What happened
Pingora is Cloudflare's open-source Rust framework for building fast, reliable, and programmable HTTP proxy services. CVE-2026-2835 reports a critical HTTP request smuggling issue in the Pingora HTTP proxy framework. The vulnerability arises from allowing HTTP/1.0 request bodies to be close-delimited and from incorrect handling of multiple Transfer-Encoding values, causing Pingora's request framing to become inconsistent with backend servers.
Successful exploitation enables bypass of proxy-layer ACL/WAF logic, cache/upstream poisoning, and cross-user attacks that appear to originate from the trusted proxy IP.
HTTP request smuggling remains one of the highest-impact proxy vulnerabilities — Cloudflare notes their own CDN was not affected due to stricter ingress behavior, but standalone Pingora deployments are exposed. CVSS v4.0: 9.3 (Critical).
Who is impacted
- Deployments running Pingora versions
< 0.8.0. - Primary risk is for standalone Pingora deployments in front of backends accepting HTTP/1.0.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- If you cannot patch, implement request filtering to reject:
- Any non-HTTP/1.1 request
- Requests with invalid
Content-Length - Requests with multiple
Transfer-Encodingheaders - Requests where
Transfer-Encodingis not exactlychunked
- The advisory recommends returning an error and disabling downstream connection reuse when applying the workaround.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.