CVE-2026-33870

HighPublic PoC

Published: 27 March 2026

Published

27 March 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0002 5.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33870 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Netty Netty. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses CVE-2026-33870 by requiring timely remediation through upgrading vulnerable Netty versions to 4.1.132.Final or 4.2.10.Final.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Detects the presence of CVE-2026-33870 in Netty components via vulnerability scanning, enabling proactive patching.

SC-7 Boundary Protection partial match

preventdetect

Mitigates HTTP request smuggling exploitation of Netty's parsing flaw by enforcing boundary protections like WAFs to block or normalize inconsistent requests.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing Netty HTTP framework enables remote exploitation via crafted chunked transfer requests for smuggling attacks that bypass controls or poison caches.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Deeper analysisAI

CVE-2026-33870 affects Netty, an asynchronous, event-driven network application framework, in versions prior to 4.1.132.Final and 4.2.10.Final. The vulnerability stems from Netty's incorrect parsing of quoted strings within HTTP/1.1 chunked transfer encoding extension values, which enables HTTP request smuggling attacks. This issue is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact from network-accessible exploitation with low complexity and no privileges required.

Remote attackers can exploit this vulnerability by crafting malicious HTTP requests that leverage the parsing flaw in chunked transfer encoding extensions. By smuggling requests, attackers may bypass frontend security controls, such as web application firewalls, poison backend caches, or hijack user sessions, depending on the deployment topology involving Netty-based servers or proxies.

The official Netty security advisory on GitHub (GHSA-pwqr-wmgm-9rr8) confirms that upgrading to Netty versions 4.1.132.Final or 4.2.10.Final resolves the issue by correcting the parsing logic. Additional technical details appear in blog posts on w4ke.info, and the vulnerability relates to HTTP/1.1 specifications outlined in RFC 9110.