CVE-2026-33555

MEDIUM LAB

HAProxy <3.3.6 - Request Smuggling

Title source: llm

Description

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

Exploits (1)

nomisec WORKING POC

by r3verii · poc

https://github.com/r3verii/CVE-2026-33555

View Code ZIP pw:eip

References (5)

https://www.haproxy.org

https://www.haproxy.com/documentation/haproxy-aloha/changelog/

https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84

View Patch ZIP pw:eip

https://www.mail-archive.com/[email protected]/msg46752.html

https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html

Scores

CVSS v3 4.0

EPSS 0.0001

EPSS Percentile 1.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull nginx:1.27

https://github.com/haproxy/haproxy

https://github.com/r3verii/CVE-2026-33555

View in Library

Details

CWE

CWE-130

Status published

Products (1)

HAProxy/HAProxy 2.6 - 3.3.6

Published Apr 13, 2026

Tracked Since Apr 13, 2026