cbcvebase.
CVE-2026-54388
published 2026-06-17

CVE-2026-54388: Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all…

PriorityP260critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.44%
35.1th percentile
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

Affected

1 ranges
VendorProductVersion rangeFixed in
tinyproxytinyproxy<= 1.11.3

Detection & IOCsextracted from sources · hover to see the quote

  • Detect HTTP requests forwarded through Tinyproxy (≤1.11.3) that contain multiple Content-Length headers with differing values — the classic CL.CL HTTP Request Smuggling pattern used to desynchronize proxy and backend parser state.
  • Monitor for signs of HTTP Request Smuggling attack outcomes behind Tinyproxy: unexpected cache poisoning events, access control bypass anomalies, or request hijacking indicators on backend servers.
  • ·Tinyproxy versions through 1.11.3 are vulnerable; the fix was introduced in commit 364cdb6. Verify the deployed version and patch status before concluding exposure.
  • ·Fedora and EPEL package updates (tinyproxy-1.11.2-8) have been submitted/pushed to testing repositories for Fedora 43, 44, EPEL 8, 9, 10.2, and 10.3 — confirm stable promotion before treating patched.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.