Description
A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests, causing SoupServer to fail to close the connection as required by RFC 9112. This allows the attacker to smuggle additional requests over the persistent connection, leading to unintended request processing and potential denial-of-service (DoS) conditions.
References (3)
Core 3
Core References
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-1760
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2435951
Scores
CVSS v3
5.3
EPSS
0.0042
EPSS Percentile
34.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-444
Status
published
Products (5)
Red Hat/Red Hat Enterprise Linux 10
Red Hat/Red Hat Enterprise Linux 6
Red Hat/Red Hat Enterprise Linux 7
Red Hat/Red Hat Enterprise Linux 8
Red Hat/Red Hat Enterprise Linux 9
Published
Feb 02, 2026
Tracked Since
Feb 18, 2026