CVE-2026-33555

MEDIUM LAB

HAProxy 2.6-3.3.5 - HTTP/3 Request Smuggling via Empty Payload Frame

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-33555. PoCs published by r3verii.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-33555, demonstrating HTTP request smuggling via HAProxy's H3/QUIC implementation. The exploit leverages a standalone QUIC STREAM FIN to bypass body size validation, leading to cross-user request smuggling.

Description

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

Exploits (1)

nomisec WORKING POC

by r3verii · poc

https://github.com/r3verii/CVE-2026-33555

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2026-33555, demonstrating HTTP request smuggling via HAProxy's H3/QUIC implementation. The exploit leverages a standalone QUIC STREAM FIN to bypass body size validation, leading to cross-user request smuggling.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: HAProxy with QUIC/H3 support (tested on 3.0.18)

No auth needed

Prerequisites: HAProxy compiled with USE_QUIC=1 · Backend connection pooling enabled (http-reuse always) · Backend that sends early responses before consuming full body

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 17, 2026 Full analysis →