CVE-2026-28898
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
The HTTP/2-to-HTTP/1.1 codec in swift-nio-http2 did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. Version 1.44.1 adds validation of all pseudo-headers (:path, :authority, :scheme, :method, :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer, rejecting requests or responses containing CR, LF, or NUL bytes.
Risk Assessment
An attacker can inject control characters (CR, LF, NUL) into HTTP/2 pseudo-headers, potentially leading to HTTP request smuggling, cache poisoning, or other communication integrity violations.
Recommendation
Immediately update swift-nio-http2 to version 1.44.1 or later, which includes the necessary pseudo-header validation.
Original NVD description (English source)
swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1.

