CVE-2026-23941
published 2026-03-13CVE-2026-23941: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This…
PriorityP260critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EPSS
0.53%
40.6th percentile
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.
This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7.
The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.
This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | erlang | < erlang 1:27.3.4.9+dfsg-1 (forky) | erlang 1:27.3.4.9+dfsg-1 (forky) |
| erlang | erlang_inets | >= 5.10 < 9.1.0.5 | 9.1.0.5 |
| erlang | erlang_inets | >= 9.3 < 9.3.2.3 | 9.3.2.3 |
| erlang | erlang_inets | >= 9.6 < 9.6.1 | 9.6.1 |
| erlang | erlang_otp | >= 17.0 < 26.2.5.18 | 26.2.5.18 |
| erlang | erlang_otp | >= 27.0 < 27.3.4.9 | 27.3.4.9 |
| erlang | erlang_otp | >= 28.0 < 28.4.1 | 28.4.1 |
| erlang | otp | < * | * |
| erlang | otp | >= 17.0 < * | * |
| erlang | otp | >= 5.10 < * | * |
| msrc | azl3_erlang_26.2.5.17-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_erlang_25.3.2.21-4_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable code path is in httpd_request:parse_headers/7 within lib/inets/src/http_server/httpd_request.erl. Monitor or audit HTTP requests processed by this function for duplicate Content-Length headers, which are the attack primitive. ↗
- →Detect HTTP requests containing duplicate Content-Length headers targeting Erlang OTP inets httpd backends. The server uses the first Content-Length value while reverse proxies (nginx, Apache httpd, Envoy) use the last, enabling request smuggling desynchronization. ↗
- →Flag HTTP requests where attacker-controlled bytes are queued as the start of the next request — a symptom of CL.CL HTTP request smuggling against Erlang inets httpd. Look for unexpected pipelined or partial requests arriving at the backend. ↗
- ·Affected versions span a wide range: OTP 17.0 up to (but not including) OTP 28.4.1, OTP 27.3.4.9, and OTP 26.2.5.18. Corresponding inets versions affected are 5.10 up to (but not including) 9.6.1, 9.3.2.3, and 9.1.0.5. Ensure patched versions are deployed. ↗
- ·The vulnerability is specifically exploitable in deployments where Erlang inets httpd sits behind a reverse proxy (nginx, Apache httpd, or Envoy). Standalone deployments without a front-end proxy have reduced but not eliminated risk. ↗
- ·Debian Bookworm, Bullseye, and Trixie remain open/unpatched as of the tracker snapshot. Only Forky and Sid have resolved fixes (1:27.3.4.9+dfsg-1). Verify your Debian release patch status before assuming coverage. ↗
CVSS provenance
nvdv3.19.4CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
nvdv4.07.0HIGHCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.0HIGH
vendor_debian7.0HIGH
vendor_msrc7.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Request smuggling via first-wins Content-Length parsing in inets httpd
vendor_msrc·2026-03-10·CVSS 7.0
CVE-2026-23941 [HIGH] CWE-444 Request smuggling via first-wins Content-Length parsing in inets httpd
Request smuggling via first-wins Content-Length parsing in inets httpd
Mariner: Mariner
EEF: EEF
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Debian
CVE-2026-23941: erlang - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerab...
vendor_debian·2026·CVSS 7.0
CVE-2026-23941 [HIGH] CVE-2026-23941: erlang - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerab...
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to
OSV
CVE-2026-23941: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling
osv·2026-03-13·CVSS 7.0
CVE-2026-23941 [HIGH] CVE-2026-23941: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to
No detection rules found.
No public exploits indexed.
https://cna.erlef.org/cves/CVE-2026-23941.htmlhttps://github.com/erlang/otp/commit/a4b46336fd25aa100ac602eb9a627aaead7eda18https://github.com/erlang/otp/commit/a761d391d8d08316cbd7d4a86733ba932b73c45bhttps://github.com/erlang/otp/commit/e775a332f623851385ab6ddb866d9b150612ddf6https://github.com/erlang/otp/security/advisories/GHSA-w4jc-9wpv-pqh7https://osv.dev/vulnerability/EEF-CVE-2026-23941https://www.erlang.org/doc/system/versions.html#order-of-versions
2026-03-13
Published