Cache Poisoning Vulnerability in Pingora HTTP Proxy Framework

CVE-2026-2836

What is CVE-2026-2836?

A cache poisoning vulnerability has been identified in the Pingora HTTP proxy framework, stemming from its default cache key construction. This issue arises because the default implementation generates cache keys solely using the URI path, neglecting critical elements such as the host header. As a result, operators using the default key are vulnerable to cache poisoning, enabling attackers to manipulate the cache and potentially serve cross-origin responses to users improperly.

Users employing Pingora's alpha proxy caching feature and relying on the default CacheKey implementation are particularly at risk. An attacker could leverage this vulnerability to facilitate cross-tenant data leakage, allowing users from one tenant to receive cached responses meant for another. Additionally, attackers can perform cache poisoning attacks to deliver malicious content to legitimate users by corrupting shared cache entries.

To mitigate these risks, Pingora users are strongly advised to update to version 0.8.0 or later, which rectifies the insecure default cache key setup. Users must implement their own cache key construction, incorporating essential components like the Host header, origin server HTTP scheme, and any other relevant attributes for their caching strategy.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References