CVE Catalog

CVE-2026-44546

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

Daphne before 4.2.2 has an issue reconstructing a raw HTTP request from Twisted's parsed headers, which can lead to header injection by an attacker.

Risk Assessment

An attacker can exploit this vulnerability to manipulate data passed to the application, potentially leading to unauthorized access or other harmful actions.

Recommendation

It is recommended to upgrade daphne to version 4.2.2 or later to mitigate this vulnerability.

Original NVD description (English source)

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS