CVE-2026-6733
published 2026-06-17CVE-2026-6733: Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an…
PriorityP417low3.7CVSS 3.1
AVNACHPRNUINSUCNILAN
EPSS
0.23%
13.5th percentile
Impact:
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.
This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.
Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
Workarounds:
Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| ansible-automation-platform | bootc-automation-portal-rhel9 | — | — |
| devspaces | code-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| nodejs | nodejs | — | — |
| nodejs | undici | < 6.27.0 | 6.27.0 |
| nodejs | undici | >= 7.0.0 < 7.28.0 | 7.28.0 |
| nodejs | undici | >= 8.0.0 < 8.5.0 | 8.5.0 |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
| odf4 | ocs-client-console-rhel9 | — | — |
| odf4 | odf-console-rhel9 | — | — |
| odf4 | odf-multicluster-console-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-pf5-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel8 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel9 | — | — |
| openshift4 | ose-agent-installer-ui-rhel9 | — | — |
| openshift4 | ose-console-rhel9 | — | — |
| openshift4 | ose-monitoring-plugin-rhel9 | — | — |
| rhdh | rhdh-hub-rhel9 | — | — |
| rhoai | odh-dashboard-rhel9 | — | — |
| rhoai | odh-mod-arch-automl-rhel9 | — | — |
| rhoai | odh-mod-arch-autorag-rhel9 | — | — |
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
cvelistv5v3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
ghsa·2026-06-19
CVE-2026-6733 [LOW] CWE-367 undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
## Impact
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.
This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.
## Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
## Workarounds
Disable keep-alive connection reuse by setting `keepAliveTimeout: 0` on the Client or Pool.
CVEList
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
cvelistv5·2026-06-17·CVSS 3.7
CVE-2026-6733 [LOW] CWE-367 undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Impact:
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.
This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.
Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
Workarounds:
Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.
VulDB
undici up to 6.25.x/7.27.x/8.4.x Setting toctou (GHSA-35p6-xmwp-9g52)
vuldb·2026-06-17
CVE-2026-6733 [LOW] undici up to 6.25.x/7.27.x/8.4.x Setting toctou (GHSA-35p6-xmwp-9g52)
A vulnerability has been found in undici up to 6.25.x/7.27.x/8.4.x and classified as problematic. This impacts an unknown function of the component Setting Handler. The manipulation leads to time-of-check time-of-use.
This vulnerability is referenced as CVE-2026-6733. Remote exploitation of the attack is possible. No exploit is available.
The affected component should be upgraded.
Red Hat
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
vendor_redhat·2026-06-17·CVSS 3.7
CVE-2026-6733 [LOW] CWE-940 undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
Impact:
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.
This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.
Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
Workarounds:
Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.
A flaw wa
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-6733 undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
bugzilla·2026-06-17
CVE-2026-6733 [LOW] CVE-2026-6733 undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
CVE-2026-6733 undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
Impact:
Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.
This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.
Patches:
Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
Workarounds:
Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or
Bugzilla
CVE-2026-6733 fbthrift: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
bugzilla·2026-06-17
CVE-2026-6733 [LOW] CVE-2026-6733 fbthrift: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
CVE-2026-6733 fbthrift: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6733 nodejs24: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
bugzilla·2026-06-17
CVE-2026-6733 [LOW] CVE-2026-6733 nodejs24: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
CVE-2026-6733 nodejs24: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6733 nodejs20: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
bugzilla·2026-06-17
CVE-2026-6733 [LOW] CVE-2026-6733 nodejs20: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
CVE-2026-6733 nodejs20: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6733 nodejs22: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
bugzilla·2026-06-17
CVE-2026-6733 [LOW] CVE-2026-6733 nodejs22: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
CVE-2026-6733 nodejs22: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-06-17
Published