CVE-2026-33555

medium

Red Hat

CVSS v3 Base Score

4.0

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Attack Characteristics

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Confidentiality

None

Integrity

Low

Availability

None

Published: April 13, 2026 (31 days ago)

Last Modified: April 13, 2026

Vendor: Red Hat

Source: REDHAT

Description

A flaw was found in HAProxy. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP/3 request. The HTTP/3 parser fails to verify that the received body length matches the announced content-length when a stream is closed with an empty payload. This desynchronization with the backend server can lead to request smuggling, allowing an attacker to bypass security mechanisms and potentially access unauthorized resources.

CWE

CWE-130

Affected Products

Red Hat Enterprise Linux 10Red Hat Enterprise Linux 7Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9Red Hat OpenShift Container Platform 4

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 www.haproxy.com

CVE-2026-33555

Vulnerability Report

Description

CWE

Affected Products

References