Cyber Posture

CVE-2026-2833

Critical

Published: 05 March 2026

Published
05 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0002 4.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2833 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Cloudflare Pingora. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the HTTP request smuggling flaw in Pingora by requiring timely identification, reporting, and patching to v0.8.0 or higher as recommended.

SI-10 Information Input Validation good match
prevent

Validates and sanitizes HTTP request inputs, including Upgrade headers, to block smuggling payloads before they reach the backend and bypass proxy controls.

SC-7 Boundary Protection partial match
prevent

Requires boundary proxies to monitor and control communications, ensuring proper HTTP parsing boundaries to prevent premature forwarding that enables smuggling.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a remotely exploitable flaw in a public-facing HTTP proxy (Pingora) that allows direct request smuggling to bypass ACL/WAF controls and hijack responses/sessions. This maps directly to exploitation of an exposed application without requiring privileges or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An HTTP request smuggling vulnerability (CWE-444) was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes…

more

on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking. Impact This vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to: * Bypass proxy-level ACL controls and WAF logic * Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests * Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP Cloudflare's CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode. Mitigation: Pingora users should upgrade to Pingora v0.8.0 or higher As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.

Deeper analysisAI

CVE-2026-2833 is an HTTP request smuggling vulnerability (CWE-444) in Pingora's handling of HTTP/1.1 connection upgrades, with a CVSS score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). The flaw affects Pingora proxies, particularly standalone deployments exposed to external traffic. It arises when the proxy reads a request containing an Upgrade header and prematurely passes the remaining bytes on the connection to a backend before the backend accepts the upgrade, enabling attackers to forward malicious payloads that may be interpreted as subsequent request headers.

Remote attackers require no privileges or user interaction to exploit this vulnerability. By sending a crafted request with an Upgrade header followed by a malicious payload, they can bypass proxy-level access control lists (ACLs) and web application firewall (WAF) logic, poison caches and upstream connections to deliver responses intended for smuggled requests to legitimate users, and conduct cross-user attacks such as session hijacking by making smuggled requests appear to originate from the trusted proxy IP.

Advisories recommend upgrading to Pingora v0.8.0 or higher to mitigate the issue. As a workaround, implement request filter logic to return an error on requests containing an Upgrade header, halting processing beyond the request headers and disabling downstream connection reuse. Cloudflare's CDN infrastructure is unaffected, as its ingress proxies enforce proper HTTP parsing boundaries without prematurely switching to upgraded connection forwarding.

Details

CWE(s)
CWE-444

Affected Products

cloudflare
pingora
≤ 0.8.0

CVEs Like This One

CVE-2026-2835Same product: Cloudflare Pingora
CVE-2026-2836Same product: Cloudflare Pingora
CVE-2026-1229Same vendor: Cloudflare
CVE-2026-28368Shared CWE-444
CVE-2026-28369Shared CWE-444
CVE-2026-2332Shared CWE-444
CVE-2026-23527Shared CWE-444
CVE-2025-65114Shared CWE-444
CVE-2026-41873Shared CWE-444
CVE-2025-31958Shared CWE-444

References