CVE-2026-33555
MediumCVSS 4.0Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
In HAProxy before version 3.3.6, a vulnerability was found in the HTTP/3 parser. It does not verify that the received body length matches a previously declared Content-Length header when the stream is closed via a frame with an empty payload. The issue exists since version 2.6.
Risk Assessment
This vulnerability can cause desynchronization between HAProxy and the backend server, enabling request smuggling attacks. An attacker could smuggle malicious requests, potentially gaining access to other users' data or bypassing security mechanisms.
Recommendation
Immediately upgrade HAProxy to version 3.3.6 or later. If an upgrade is not possible, consider temporarily disabling HTTP/3 support or applying WAF rules to block suspicious requests.
Original NVD description (English source)
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

