Cyber Resilience

CVE-2026-50052

LowUpdated

Published: 03 June 2026

Published
03 June 2026
Modified
01 July 2026
KEV Added
Patch
CVSS Score v4 2.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Green
EPSS Score 0.0035 26.9th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-50052 is a low-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Vinyl Cache (inferred from references). Its CVSS base score is 2.3 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or…

more

possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE directly describes an exploitable HTTP/2 parsing flaw in a public-facing cache server enabling request smuggling attacks.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2833Shared CWE-444
CVE-2026-33870Shared CWE-444
CVE-2026-2332Shared CWE-444
CVE-2026-23527Shared CWE-444
CVE-2026-24880Shared CWE-444
CVE-2026-28367Shared CWE-444
CVE-2026-42581Shared CWE-444
CVE-2026-40562Shared CWE-444
CVE-2026-1525Shared CWE-444
CVE-2025-6999Shared CWE-444

Affected Assets

Vinyl Cache
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References