CVE-2026-34475
published 2026-03-27CVE-2026-34475: Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.20%
10.2th percentile
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | varnish | — | — |
| varnish-software | varnish_cache | < 6.0.17 LTS | 6.0.17 LTS |
| varnish-software | varnish_cache | >= 7.0.0 < 8.0.1 | 8.0.1 |
| varnish-software | varnish_enterprise | <= 6.0.15 | — |
| varnish-software | varnish_enterprise | — | — |
| vinyl-cache | vinyl_cache | < 8.0.1 | 8.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP/1.1 requests where the URL path is exactly `/` targeting Varnish Cache instances, which may indicate cache poisoning or authentication bypass attempts exploiting unchecked req.url handling. ↗
- →Monitor Varnish VCL for unchecked `req.url` scenarios — specifically where `req.url` is not validated before use in cache key or access control logic, as this is the exploitable condition. ↗
- →Flag HTTP/1.1 requests with a URL path of exactly `/` that result in unexpected cache HITs for authenticated or sensitive resources, which may indicate cache poisoning via this vulnerability. ↗
- ·Varnish Cache versions before 8.0.1 are vulnerable; upgrade to 8.0.1 or later to remediate. ↗
- ·Varnish Enterprise versions before 6.0.16r12 are vulnerable; upgrade to 6.0.16r12 or later to remediate. ↗
- ·Debian bookworm, bullseye, forky, sid, and trixie all remain open (unpatched) for this CVE as of the tracker snapshot. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv5.4MEDIUM
vendor_debian5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m9gq-cmcj-p62x: Varnish Cache before 8
ghsa_unreviewed·2026-03-27
CVE-2026-34475 [MEDIUM] CWE-180 GHSA-m9gq-cmcj-p62x: Varnish Cache before 8
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.
OSV
CVE-2026-34475: Varnish Cache before 8
osv·2026-03-27·CVSS 5.4
CVE-2026-34475 [MEDIUM] CVE-2026-34475: Varnish Cache before 8
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.
Red Hat
Varnish Cache: Varnish Cache and Varnish Enterprise: Cache poisoning and authentication bypass via unchecked URL handling
vendor_redhat·2026-03-27·CVSS 5.4
CVE-2026-34475 [MEDIUM] CWE-1286 Varnish Cache: Varnish Cache and Varnish Enterprise: Cache poisoning and authentication bypass via unchecked URL handling
Varnish Cache: Varnish Cache and Varnish Enterprise: Cache poisoning and authentication bypass via unchecked URL handling
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.
A flaw was found in Varnish Cache and Varnish Enterprise. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 requests with a path of `/` in the URL. This mishandling of URLs, specifically in unchecked `req.url` scenarios, could lead to cache poisoning, where an attacker manipulates cached content, or an authentication bypass, allowing unauthorized access.
Package: redhat-user-workloads/varnish-7-10-0 (Red Hat Enter
Debian
CVE-2026-34475: varnish - Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain u...
vendor_debian·2026·CVSS 5.4
CVE-2026-34475 [MEDIUM] CVE-2026-34475: varnish - Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain u...
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
2026-03-27
Published