{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-33555", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T13:22:39.253Z", "dateReserved": "2026-03-22T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "HAProxy", "vendor": "HAProxy", "versions": [{"lessThan": "3.3.6", "status": "affected", "version": "2.6", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-130", "description": "CWE-130 Improper Handling of Length Parameter Inconsistency", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T16:22:13.958Z"}, "references": [{"url": "https://www.haproxy.org"}, {"url": "https://www.haproxy.com/documentation/haproxy-aloha/changelog/"}, {"url": "https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84"}, {"url": "https://www.mail-archive.com/haproxy@formilux.org/msg46752.html"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6", "versionEndExcluding": "3.3.6"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T13:21:23.083569Z", "id": "CVE-2026-33555", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:22:39.253Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33555", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T13:21:23.083569Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:22:34.930Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"}}], "affected": [{"vendor": "HAProxy", "product": "HAProxy", "versions": [{"status": "affected", "version": "2.6", "lessThan": "3.3.6", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.haproxy.org"}, {"url": "https://www.haproxy.com/documentation/haproxy-aloha/changelog/"}, {"url": "https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84"}, {"url": "https://www.mail-archive.com/haproxy@formilux.org/msg46752.html"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-130", "description": "CWE-130 Improper Handling of Length Parameter Inconsistency"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.3.6", "versionStartIncluding": "2.6"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T16:22:13.958Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33555", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:22:39.253Z", "dateReserved": "2026-03-22T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6."}], "id": "CVE-2026-33555", "lastModified": "2026-04-13T17:16:28.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-13T17:16:28.237", "references": [{"source": "cve@mitre.org", "url": "https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84"}, {"source": "cve@mitre.org", "url": "https://www.haproxy.com/documentation/haproxy-aloha/changelog/"}, {"source": "cve@mitre.org", "url": "https://www.haproxy.org"}, {"source": "cve@mitre.org", "url": "https://www.mail-archive.com/haproxy@formilux.org/msg46752.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-130"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "haproxy: HAProxy: Request smuggling via HTTP/3 parser desynchronization", "id": "2457920", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457920"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-130", "details": ["A flaw was found in HAProxy. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP/3 request. The HTTP/3 parser fails to verify that the received body length matches the announced content-length when a stream is closed with an empty payload. This desynchronization with the backend server can lead to request smuggling, allowing an attacker to bypass security mechanisms and potentially access unauthorized resources."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33555", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "haproxy", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33555\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33555\nhttps://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84\nhttps://www.haproxy.com/documentation/haproxy-aloha/changelog/\nhttps://www.haproxy.org\nhttps://www.mail-archive.com/haproxy@formilux.org/msg46752.html"], "threat_severity": "Moderate"}

{}