CVE Catalog

CVE-2026-50052

LowCVSS 2.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile — higher than 27% of all known CVEs

Summary

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a flaw in HTTP/2 request parsing allows a backend request desync (request smuggling) attack. This can lead to cache poisoning, authentication bypass, or even information disclosure and manipulation. The vulnerability only exists if HTTP/2 support is enabled via the +http2 feature parameter, which is disabled by default.

Risk Assessment

The organization risks cache poisoning, which could serve malicious content to users, bypass authentication mechanisms, and potentially leak sensitive data.

Recommendation

Immediately upgrade Vinyl Cache to version 9.0.1 or later and Varnish Cache to version 9.0.3 or later. If HTTP/2 is not required, keep it disabled.

Original NVD description (English source)

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS