CVE-2026-50052
LowCVSS 2.3Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a flaw in HTTP/2 request parsing allows a backend request desync (request smuggling) attack. This can lead to cache poisoning, authentication bypass, or even information disclosure and manipulation. The vulnerability only exists if HTTP/2 support is enabled via the +http2 feature parameter, which is disabled by default.
Risk Assessment
The organization risks cache poisoning, which could serve malicious content to users, bypass authentication mechanisms, and potentially leak sensitive data.
Recommendation
Immediately upgrade Vinyl Cache to version 9.0.1 or later and Varnish Cache to version 9.0.3 or later. If HTTP/2 is not required, keep it disabled.
Original NVD description (English source)
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.

