CVE-2026-6338
MediumCVSS 4.9Summary
CVE-2026-6338 is a vulnerability affecting HTTP request smuggling and desynchronization in Kong Gateway Enterprise versions 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14. The issue is caused by a parsing flaw in Kong's HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.
Risk Assessment
Organizations may be exposed to attacks that exploit this vulnerability to take control of user sessions or manipulate data. This could lead to serious security breaches and loss of customer trust.
Recommendation
It is recommended to upgrade to the latest version of Kong Gateway Enterprise to mitigate this vulnerability. Additionally, implementing HTTP traffic monitoring mechanisms to detect potential attacks is advisable.
Original NVD description (English source)
A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.

