CVE Catalog

CVE-2026-6338

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Summary

CVE-2026-6338 is a vulnerability affecting HTTP request smuggling and desynchronization in Kong Gateway Enterprise versions 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14. The issue is caused by a parsing flaw in Kong's HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.

Risk Assessment

Organizations may be exposed to attacks that exploit this vulnerability to take control of user sessions or manipulate data. This could lead to serious security breaches and loss of customer trust.

Recommendation

It is recommended to upgrade to the latest version of Kong Gateway Enterprise to mitigate this vulnerability. Additionally, implementing HTTP traffic monitoring mechanisms to detect potential attacks is advisable.

Original NVD description (English source)

A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS