Cyber Resilience

CVE-2026-27630

HighDDoS

Published: 26 February 2026

Published
26 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 34.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27630 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Ritlabs Tinyweb. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Service Exhaustion Flood (T1499.002); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and AC-12 (Session Termination).

Deeper analysis

CVE-2026-27630 is a Denial of Service vulnerability affecting TinyWeb, a lightweight web server for HTTP and HTTPS written in Delphi for Win32 platforms. Versions prior to 2.02 are susceptible to a Slowloris-style attack due to the server spawning a new operating system thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. This flaw, associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated remote attacker can exploit the vulnerability by establishing numerous connections to the server and transmitting data at an exceptionally slow rate, such as 1 byte every few minutes. This partial request technique ties up server threads and exhausts available memory and concurrency limits, rendering the server unresponsive to legitimate traffic and causing a denial of service.

Version 2.02 addresses the issue by introducing a CMaxConnections limit defaulting to 512 and a CConnectionTimeoutSecs idle timeout of 30 seconds. Advisories recommend upgrading to this patched version, with commit details available at the project's GitHub repository. As a temporary mitigation if immediate upgrading is not feasible, deploy the server behind a robust reverse proxy or Web Application Firewall such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and strictly enforce connection limits and timeouts. Further guidance is provided in the GitHub security advisory and related blog post.

EU & UK References

Vulnerability details

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection…

more

without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.002 Service Exhaustion Flood Impact
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
Why these techniques?

The vulnerability directly enables a Slowloris-style resource exhaustion attack against the web server by allowing an attacker to tie up threads via slow partial requests, mapping to service exhaustion for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27633Same product: Ritlabs Tinyweb
CVE-2026-29046Same product: Ritlabs Tinyweb
CVE-2026-28497Same product: Ritlabs Tinyweb
CVE-2026-22781Same product: Ritlabs Tinyweb
CVE-2026-27613Same product: Ritlabs Tinyweb
CVE-2023-34397Shared CWE-400
CVE-2026-41399Shared CWE-770
CVE-2024-41743Shared CWE-770
CVE-2026-32062Shared CWE-770
CVE-2025-0114Shared CWE-400

Affected Assets

ritlabs
tinyweb
≤ 2.02

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements denial-of-service protections such as connection limits and timeouts to prevent resource exhaustion from Slowloris attacks exploiting unlimited concurrent connections.

prevent

Enforces limits on concurrent sessions or connections to block attackers from spawning excessive threads and exhausting server memory.

prevent

Mandates termination of idle sessions after a defined timeout, closing slow partial requests that tie up server resources in Slowloris attacks.

References