CVE Catalog

CVE-2026-33555

MediumCVSS 4.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile - higher than 22% of all known CVEs

Summary

In HAProxy before version 3.3.6, a vulnerability was found in the HTTP/3 parser. It does not verify that the received body length matches a previously declared Content-Length header when the stream is closed via a frame with an empty payload. The issue exists since version 2.6.

Risk Assessment

This vulnerability can cause desynchronization between HAProxy and the backend server, enabling request smuggling attacks. An attacker could smuggle malicious requests, potentially gaining access to other users' data or bypassing security mechanisms.

Recommendation

Immediately upgrade HAProxy to version 3.3.6 or later. If an upgrade is not possible, consider temporarily disabling HTTP/3 support or applying WAF rules to block suspicious requests.

Original NVD description (English source)

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS