CVE-2026-23941 — HTTP Request Smuggling in OTP

CWE-444 — HTTP Request Smuggling6 documents6 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 93.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Erlang OTP

Timeline

PublishedMar 13

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy…

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L

Affected Packages1 packages

▶CVEListV5erlang/otp5.10 — *+2

🔴Vulnerability Details

CVEList

Request smuggling via first-wins Content-Length parsing in inets httpd↗2026-03-13

▶

OSV

CVE-2026-23941: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling↗2026-03-13

▶

📋Vendor Advisories

Microsoft

Request smuggling via first-wins Content-Length parsing in inets httpd↗2026-03-10

▶

Debian

CVE-2026-23941: erlang - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerab...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23941 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶