CVE-2026-34475

MEDIUM

Varnish Cache < 8.0.1 / Enterprise < 6.0.16r12 - Cache Poisoning or Authentication Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-34475. PoCs published by bitbcybr.

AI-analyzed exploit summary This repository contains Nuclei templates for detecting and verifying the presence of CVE-2026-34475 in Varnish Cache instances. It includes passive detection via header analysis and active verification of cache-key collision behavior, but does not include functional exploit code.

Description

Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.

Exploits (1)

github SCANNER

by bitbcybr · poc

https://github.com/bitbcybr/way2poc_cve-2026-34475

View Code ZIP pw:eip

This repository contains Nuclei templates for detecting and verifying the presence of CVE-2026-34475 in Varnish Cache instances. It includes passive detection via header analysis and active verification of cache-key collision behavior, but does not include functional exploit code.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Varnish Cache (Open Source ≤ 8.0.0, 6.0 LTS ≤ 6.0.16, Varnish Enterprise 6.0.x ≤ 6.0.16r11)

No auth needed

Prerequisites: Varnish Cache instance with exposed headers · Network access to target

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (1)

Core 1

Core References

https://vinyl-cache.org/security/VSV00018.html

Scores

CVSS v3 5.4

EPSS 0.0020

EPSS Percentile 10.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-180

Status published

Products (5)

varnish-software/Varnish Cache < 6.0.17 LTS

varnish-software/Varnish Cache 7.0.0 - 8.0.1

varnish-software/varnish_enterprise 6.0.16 r1 (11 CPE variants)

varnish-software/varnish_enterprise < 6.0.15

vinyl-cache/vinyl_cache < 8.0.1

Published Mar 27, 2026

Tracked Since Mar 29, 2026