Cloudflare has released version 0.8.0 of its open-source Pingora framework to patch three critical vulnerabilities: CVE-2026-2833, CVE-2026-2835, and CVE-2026-2836.
These flaws allow HTTP request smuggling and cache poisoning, posing a severe threat to standalone Pingora deployments exposed directly to the internet.
Cloudflare confirmed that its own Content Delivery Network (CDN) and customer traffic were completely unaffected by these issues, as its internal infrastructure does not deploy Pingora as a directly exposed ingress proxy.
Vulnerabilities in Pingora Framework
The vulnerabilities, discovered and reported by security researcher Rajat Raghav via Cloudflare’s Bug Bounty Program, carry critical severity ratings (up to 9.3 out of 10).
If left unpatched, they enable attackers to bypass proxy-level Access Control Lists (ACLs) and Web Application Firewalls (WAFs), hijack cross-user sessions, and poison upstream connections.
Premature Connection Upgrades (CVE-2026-2833)
The first vulnerability stems from Pingora’s handling of HTTP/1.1 connection upgrade requests.
When Pingora received an “Upgrade” header, it immediately switched to a passthrough mode before the backend server officially confirmed the upgrade with a “101 Switching Protocols” response.
Attackers could exploit this premature switch by appending a hidden second request to their initial payload.
Pingora would mistakenly forward this smuggled request directly to the backend, completely bypassing proxy-level security controls and potentially hijacking subsequent user sessions.
HTTP/1.0 and Transfer-Encoding Flaws (CVE-2026-2835)
The second flaw involves Pingora’s non-compliant parsing of older HTTP/1.0 requests.
Pingora incorrectly allowed HTTP/1.0 request bodies to be close-delimited and mishandled “Transfer-Encoding: chunked” headers.
Because Pingora and the backend server interpreted the request body length differently, attackers could deliberately desynchronize the connection framing.
This classic HTTP desync attack allows malicious payloads to slip past the proxy undetected.
Default Cache Key Poisoning (CVE-2026-2836)
The final vulnerability relates to a design flaw in Pingora’s default cache key construction.
The default implementation generated cache keys based solely on the Uniform Resource Identifier (URI) path, ignoring critical differentiators such as the host header or HTTP scheme.
Because it failed to distinguish between different hosts sharing the same URI path, attackers could easily force cache collisions, causing legitimate users to receive cross-origin or malicious responses.
Cloudflare strongly recommends that all organizations using standalone Pingora proxies apply the following mitigations:
Update Immediately: Upgrade all Pingora deployments to version 0.8.0 or newer to fix the parsing logic and enforce strict RFC compliance.
Implement Custom Cache Keys: Since version 0.8.0 removes the insecure default cache key, users must implement a custom callback that includes the host header, upstream HTTP scheme, and URI path to ensure proper cache isolation.
Temporary Workarounds: If upgrading is not immediately possible, configure request filter logic to return an error on any request containing an “Upgrade” header.3.
Additionally, reject any non-HTTP/1.1 requests or requests with invalid Content-Length headers.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
