CVE-2026-23527

HighPublic PoC

Published: 15 January 2026

Published

15 January 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

EPSS Score 0.0004 11.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23527 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in H3 H3. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the case-sensitive Transfer-Encoding header parsing flaw in H3 prior to version 1.15.5, preventing HTTP request smuggling exploitation.

SI-10 Information Input Validation partial match

prevent

Mandates validation of HTTP request inputs to reject malformed headers exploiting case-insensitive RFC requirements for Transfer-Encoding chunked values.

SC-7 Boundary Protection partial match

preventdetect

Enforces boundary protection at external interfaces with protocol validation to block or detect HTTP request smuggling attempts bypassing H3's flawed parsing.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct exploitation of public-facing HTTP framework via request smuggling to bypass intermediaries and achieve scope-changed impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but…

per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.

Deeper analysisAI

CVE-2026-23527 is a critical HTTP Request Smuggling vulnerability (CWE-444) affecting H3, a minimal HTTP framework designed for high performance and portability. In versions prior to 1.15.5, the readRawBody function performs a strict case-sensitive check for the "chunked" value in the Transfer-Encoding header, whereas the relevant RFC requires case-insensitive matching. This discrepancy allows malformed requests to bypass proper parsing. The vulnerability received a CVSS v3.1 base score of 8.9 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L) and was published on 2026-01-15.

Remote attackers with no privileges or user interaction can exploit this vulnerability over the network, though it requires high attack complexity. Successful exploitation enables scope-changed impacts, including high confidentiality and integrity violations—such as smuggling malicious requests past intermediaries—and low availability disruption.

The issue is fixed in H3 version 1.15.5, as detailed in the project's security advisory (GHSA-mp2g-9vg9-f4cg), release notes, and the fixing commit. Security practitioners should upgrade to 1.15.5 or later; additional analysis is available in a public writeup.