Cyber Resilience

CVE-2026-23527

HighPublic PoC

Published: 15 January 2026

Published
15 January 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 8.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0058 43.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23527 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in H3 H3. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-23527 is a critical HTTP Request Smuggling vulnerability (CWE-444) affecting H3, a minimal HTTP framework designed for high performance and portability. In versions prior to 1.15.5, the readRawBody function performs a strict case-sensitive check for the "chunked" value in the Transfer-Encoding header, whereas the relevant RFC requires case-insensitive matching. This discrepancy allows malformed requests to bypass proper parsing. The vulnerability received a CVSS v3.1 base score of 8.9 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L) and was published on 2026-01-15.

Remote attackers with no privileges or user interaction can exploit this vulnerability over the network, though it requires high attack complexity. Successful exploitation enables scope-changed impacts, including high confidentiality and integrity violations—such as smuggling malicious requests past intermediaries—and low availability disruption.

The issue is fixed in H3 version 1.15.5, as detailed in the project's security advisory (GHSA-mp2g-9vg9-f4cg), release notes, and the fixing commit. Security practitioners should upgrade to 1.15.5 or later; additional analysis is available in a public writeup.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but…

more

per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct exploitation of public-facing HTTP framework via request smuggling to bypass intermediaries and achieve scope-changed impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33131Same product: H3 H3
CVE-2026-33128Same product: H3 H3
CVE-2026-40562Shared CWE-444
CVE-2026-41873Shared CWE-444
CVE-2026-2833Shared CWE-444
CVE-2026-28368Shared CWE-444
CVE-2025-31958Shared CWE-444
CVE-2026-24880Shared CWE-444
CVE-2026-33870Shared CWE-444
CVE-2026-2332Shared CWE-444

Affected Assets

h3
h3
≤ 1.15.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the case-sensitive Transfer-Encoding header parsing flaw in H3 prior to version 1.15.5, preventing HTTP request smuggling exploitation.

prevent

Mandates validation of HTTP request inputs to reject malformed headers exploiting case-insensitive RFC requirements for Transfer-Encoding chunked values.

preventdetect

Enforces boundary protection at external interfaces with protocol validation to block or detect HTTP request smuggling attempts bypassing H3's flawed parsing.

References