Pingora fixes critical HTTP request smuggling in HTTP/1.0 and Transfer-Encoding parsing (CVE-2026-2835)

What happened

A Cloudflare CNA CVE record for CVE-2026-2835 reports a critical HTTP Request Smuggling issue in the Pingora HTTP proxy framework affecting parsing of HTTP/1.0 requests and handling of Transfer-Encoding. The vulnerability arises from allowing HTTP/1.0 request bodies to be close-delimited and from incorrect handling of multiple Transfer-Encoding values, which can cause Pingora's request framing to become inconsistent with backend servers' interpretation.

Who is impacted

• Deployments running Pingora versions < 0.8.0 are affected.
• The CVE notes the primary risk is for standalone Pingora deployments in front of backends that accept HTTP/1.0 requests.
• Successful exploitation may enable bypass of proxy-layer controls (ACL/WAF logic), cache/upstream poisoning, and cross-user impacts (e.g., attacks that appear to originate from the trusted proxy IP).

What to do now

• Upgrade to Pingora v0.8.0 or higher.
• If you cannot upgrade immediately, implement request filtering to reject:
  • Any non-HTTP/1.1 request
  • Requests with invalid Content-Length
  • Requests with multiple Transfer-Encoding headers
  • Requests where Transfer-Encoding is not exactly "chunked"
• If applying the workaround, the CVE recommends returning an error in request-filter logic to stop processing bytes on the connection and disable downstream connection reuse.

Additional Information

• CVE: CVE-2026-2835
• CWE: CWE-444 (Inconsistent Interpretation of HTTP Requests)
• The CVE record states Cloudflare's CDN infrastructure was not affected, citing stricter ingress proxy behavior (HTTP/1.1-only forwarding and stricter framing validation).
• Severity in the CVE record is CVSS v4.0 base score 9.3 (CRITICAL).