CVE-2026-44546
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
Daphne before 4.2.2 has an issue reconstructing a raw HTTP request from Twisted's parsed headers, which can lead to header injection by an attacker.
Risk Assessment
An attacker can exploit this vulnerability to manipulate data passed to the application, potentially leading to unauthorized access or other harmful actions.
Recommendation
It is recommended to upgrade daphne to version 4.2.2 or later to mitigate this vulnerability.
Original NVD description (English source)
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.

