Inconsistent interpretation of HTTP requests in Cpp-httplib - CVE-2026-34441
Published: April 24, 2026
Vulnerability identifier: #VU127466
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-34441
CWE-ID: CWE-444
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cpp-httplib Project
Affected software:
Cpp-httplib
Cpp-httplib
Detailed vulnerability description
The vulnerability allows a remote attacker to smuggle arbitrary HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in the static file handler and request parsing logic when processing GET requests with a body on HTTP/1.1 keep-alive connections or requests containing both Content-Length and Transfer-Encoding headers. A remote attacker can send a specially crafted GET request with an embedded HTTP request to smuggle arbitrary HTTP requests.
When deployed behind a reverse proxy, the issue can enable proxy-backend desynchronization and proxy-level access control bypass.
How to mitigate CVE-2026-34441
Install security update from vendor's website.