{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-50052", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-06-03T03:56:01.075Z", "datePublished": "2026-06-03T03:56:01.974Z", "dateUpdated": "2026-06-03T03:59:35.155Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Vinyl Cache", "programFiles": ["bin/vinyld/http2/cache_http2_hpack.c"], "repo": "https://code.vinyl-cache.org/vinyl-cache/vinyl-cache", "vendor": "The Vinyl Cache Project", "versions": [{"status": "affected", "version": "9.0.0"}, {"status": "unaffected", "version": "9.0.1"}]}, {"defaultStatus": "unaffected", "product": "Varnish Cache (pre split)", "programFiles": ["bin/varnishd/http2/cache_http2_hpack.c"], "repo": "https://code.vinyl-cache.org/vinyl-cache/vinyl-cache", "vendor": "The Vinyl Cache Project", "versions": [{"lessThanOrEqual": "8.0.1", "status": "affected", "version": "7.6.0", "versionType": "semver"}, {"status": "unaffected", "version": "8.0.2"}, {"lessThanOrEqual": "6.0.17", "status": "affected", "version": "6.0.14", "versionType": "semver"}, {"status": "unaffected", "version": "6.0.18"}]}, {"defaultStatus": "unaffected", "product": "Varnish Cache by Varnish Software", "programFiles": ["bin/vinyld/http2/cache_http2_hpack.c"], "repo": "https://github.com/varnish/varnish", "vendor": "Varnish Software", "versions": [{"lessThanOrEqual": "9.0.2", "status": "affected", "version": "9.0.0", "versionType": "semver"}, {"status": "unaffected", "version": "9.0.3"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>http2 enabled</div><div>exploitable URLs present (require request body)</div>"}], "value": "http2 enabled\n\nexploitable URLs present (require request body)"}], "descriptions": [{"lang": "en", "value": "In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync\nattack (request smuggling), which in turn can be used for cache poisoning,\nauthentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the\nfeature parameter to contain +http2. HTTP/2 support is disabled by\ndefault."}], "metrics": [{"cvssV4_0": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2.3, "baseSeverity": "LOW", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-06-03T03:59:35.155Z"}, "references": [{"url": "https://vinyl-cache.org/security/VSV00019.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Update to fix version</div><div><br></div>"}], "value": "Update to fix version"}], "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<h3>Disable HTTP/2</h3><p>The vulnerability can only be exploited if HTTP/2 support is enabled. Where it\nis, it can be disabled</p>\n<ul>\n<li><p>at runtime by issuing <code>vinyladm param.set feature -http2</code></p></li>\n<li><p>persistently by removing <code>-p feature=+http2</code> from the <code>vinyld</code> startup\nparameters</p></li>\n</ul>\n<p>Note that HTTP/2 typically requires a TLS offloader, which must be changed to no\nlonger send the <code>h2</code> ALPN. For example with <code>haproxy</code>, in the\n<code>listen</code>/<code>bind</code> configuration directive, <code>alpn h2,http/1.1</code> should be\nreplaced with <code>alpn http/1.1</code>.</p><br>"}], "value": "Disable HTTP/2The vulnerability can only be exploited if HTTP/2 support is enabled. Where it\nis, it can be disabled\n\n\n\n * at runtime by issuing vinyladm param.set feature -http2\n\n\n\n * persistently by removing -p feature=+http2 from the vinyld startup\nparameters\n\n\n\n\n\n\nNote that HTTP/2 typically requires a TLS offloader, which must be changed to no\nlonger send the h2 ALPN. For example with haproxy, in the\nlisten/bind configuration directive, alpn h2,http/1.1 should be\nreplaced with alpn http/1.1."}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<h3>In VCL, add a vmod re2 header filter</h3><p>This method requires <a target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\">vmod_re2</a>.</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\">vmod_re2</a> header filters (see the <a target=\"_blank\" rel=\"nofollow\" href=\"https://vinyl-cache.org/tutorials/hdr_filter.html\">tutorial</a> for more information) can be\nused to remove injected invalid header lines, which are the vehicle required for\nlaunching desync attacks exploiting this vulnerability.</p>\n<p>To the best of our knowledge, the following VCL snippet at the top of the custom\nVCL adds protection by removing invalid headers:</p>\n<div><div><pre>## BEGIN vsv19 mitigation\n#\nimport re2;\nsub vcl_init {\n new sane = re2.set(anchor=start, case_sensitive=false);\n # https://httpwg.org/specs/rfc9110.html#rule.token.separators\n # SLIGHTLY more relaxed, because it allows trailing SP / HTAB\n sane.add(\"[-!#$%&amp;'*+.^_`|~a-z0-9]+:[\\s\\x21-\\x7E\\x80-\\xff]+$\");\n}\nsub vcl_recv {\n sane.hdr_filter(req, true);\n}\n#\n## END vsv19 mitigation\n</pre></div>\n</div>\n<p>To the best of our knowledge, where <a target=\"_blank\" rel=\"nofollow\" href=\"https://gitlab.com/uplex/varnish/libvmod-re2\">vmod_re2</a> is already used with a\n<code>hdr_filter</code> in allow mode (second argument <code>true</code>), protection is already\nsufficient unless the empty string is allowed.</p><br>"}], "value": "In VCL, add a vmod re2 header filterThis method requires vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 .\n\n\n vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 header filters (see the tutorial https://vinyl-cache.org/tutorials/hdr_filter.html for more information) can be\nused to remove injected invalid header lines, which are the vehicle required for\nlaunching desync attacks exploiting this vulnerability.\n\n\nTo the best of our knowledge, the following VCL snippet at the top of the custom\nVCL adds protection by removing invalid headers:\n\n\n## BEGIN vsv19 mitigation\n#\nimport re2;\nsub vcl_init {\n new sane = re2.set(anchor=start, case_sensitive=false);\n # https://httpwg.org/specs/rfc9110.html#rule.token.separators\n # SLIGHTLY more relaxed, because it allows trailing SP / HTAB\n sane.add(\"[-!#$%&'*+.^_`|~a-z0-9]+:[\\s\\x21-\\x7E\\x80-\\xff]+$\");\n}\nsub vcl_recv {\n sane.hdr_filter(req, true);\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nTo the best of our knowledge, where vmod_re2 https://gitlab.com/uplex/varnish/libvmod-re2 is already used with a\nhdr_filter in allow mode (second argument true), protection is already\nsufficient unless the empty string is allowed."}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<h4>&gt;= 7.6.0 plain VCL mitigation</h4><p>For versions 7.6.0 and higher, this method requires no additional VMODs, but\nneeds inline-C to be enabled.</p>\n<p>For Vinyl Cache:</p>\n<ul>\n<li><p>at runtime by issuing <code>vinyladm param.set vcc_feature +allow_inline_c</code></p></li>\n<li><p>persistently by adding <code>-p vcc_feature=+allow_inline_c</code> to the <code>vinyld</code>\nstartup parameters</p></li>\n</ul>\n<p>For Varnish Cache:</p>\n<ul>\n<li><p>at runtime by issuing <code>varnishadm param.set vcc_feature +allow_inline_c</code></p></li>\n<li><p>persistently by adding <code>-p vcc_feature=+allow_inline_c</code> to the <code>varnishd</code>\nstartup parameters</p></li>\n</ul>\n<p>Besides enabling inline-C, the following snippet needs to be added at the top of\nthe custom VCL:</p>\n<div><div><pre>## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n C{\n VRT_SetHdr(ctx, &amp;VGC_HDR_REQ_content_2d_length, 0,\n TOSTRAND(VRT_GetHdr(ctx, &amp;VGC_HDR_REQ_content_2d_length)));\n }C\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n</pre></div>\n</div>\n<p>In addition, care must be taken that <code>bereq.http.Connection</code> is not unset\nanywhere else in the custom VCL.</p><br>"}], "value": ">= 7.6.0 plain VCL mitigationFor versions 7.6.0 and higher, this method requires no additional VMODs, but\nneeds inline-C to be enabled.\n\n\nFor Vinyl Cache:\n\n\n\n * at runtime by issuing vinyladm param.set vcc_feature +allow_inline_c\n\n\n\n * persistently by adding -p vcc_feature=+allow_inline_c to the vinyld\nstartup parameters\n\n\n\n\n\n\nFor Varnish Cache:\n\n\n\n * at runtime by issuing varnishadm param.set vcc_feature +allow_inline_c\n\n\n\n * persistently by adding -p vcc_feature=+allow_inline_c to the varnishd\nstartup parameters\n\n\n\n\n\n\nBesides enabling inline-C, the following snippet needs to be added at the top of\nthe custom VCL:\n\n\n## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n C{\n VRT_SetHdr(ctx, &VGC_HDR_REQ_content_2d_length, 0,\n TOSTRAND(VRT_GetHdr(ctx, &VGC_HDR_REQ_content_2d_length)));\n }C\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nIn addition, care must be taken that bereq.http.Connection is not unset\nanywhere else in the custom VCL."}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<h4>6.0 plain VCL mitigation</h4><p>For version 6.0 LTS, this method works in pure VCL with no other changes\nrequired. The following snippet needs to be added at the top of the custom VCL:</p>\n<div><div><pre>## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n set req.http.content-length = req.http.content-length;\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n</pre></div>\n</div>\n<p>In addition, care must be taken that <code>bereq.http.Connection</code> is not unset\nanywhere else in the custom VCL.</p><br>"}], "value": "6.0 plain VCL mitigationFor version 6.0 LTS, this method works in pure VCL with no other changes\nrequired. The following snippet needs to be added at the top of the custom VCL:\n\n\n## BEGIN vsv19 mitigation\n#\nsub recv_vsv19 {\n unset req.http.vsv19;\n if (req.proto != \"HTTP/2.0\" || ! req.http.content-length) {\n return;\n }\n set req.http.vsv19 = \"1\";\n set req.http.content-length = req.http.content-length;\n}\nsub vcl_recv {\n call recv_vsv19;\n}\nsub vcl_backend_fetch {\n if (bereq.http.vsv19) {\n set bereq.http.Connection = \"close\";\n }\n}\n#\n## END vsv19 mitigation\n\n\n\n\n\n\n\n\nIn addition, care must be taken that bereq.http.Connection is not unset\nanywhere else in the custom VCL."}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync\nattack (request smuggling), which in turn can be used for cache poisoning,\nauthentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the\nfeature parameter to contain +http2. HTTP/2 support is disabled by\ndefault."}], "id": "CVE-2026-50052", "lastModified": "2026-06-03T06:16:35.390", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-06-03T06:16:35.390", "references": [{"source": "cve@mitre.org", "url": "https://vinyl-cache.org/security/VSV00019.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"created": "2026-06-03T13:30:26.239873+00:00", "title": "HTTP/2 Request Parsing Flaw Enabling Backend Desync Attack in Vinyl Cache and Varnish Cache", "updated": "2026-06-03T13:30:26.239884+00:00", "vendors": []}