CVE-2026-26365

MEDIUM

Akamai Ghost - HTTP Request Smuggling

Title source: llm

Description

Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling.

References (1)

[Various Sources] https://www.akamai.com/blog/security-research/cve-2026-26365-incorrect-processing-connection-transfer-encoding

Scores

CVSS v3 4.0

EPSS 0.0004

EPSS Percentile 12.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-444

Status published

Products (1)

Akamai/Ghost < 2026-02-06

Published Feb 23, 2026

Tracked Since Feb 23, 2026