HTTP/2-to-HTTP/1.1 Codec Vulnerability in Swift NIO HTTP2 by Swift
CVE-2026-28898

5.3MEDIUM

Key Information:

Vendor: Apple
Status: Swift-nio-http2
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-28898?

The swift-nio-http2 library's HTTP/2-to-HTTP/1.1 codec originally failed to validate pseudo-header values, making it susceptible to control character manipulations before processing. This oversight allows potentially harmful characters (such as CR, LF, or NUL bytes) to be included in translated HTTP/1.1 messages, which could lead to unexpected behavior or security risks. In version 1.44.1, the library has implemented rigorous validation checks for pseudo-header values, ensuring requests or responses that contain such control characters are promptly rejected, thus enhancing the overall security posture of applications utilizing this library.

Affected Version(s)

swift-nio-http2 0 < 1.44.1

References

https://github.com/advisories/GHSA-4px2-pw77-vc85

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Mar 3, 2026

CVE-2026-28898 Data

JSON

Apple

What is CVE-2026-28898?

Affected Version(s)

References

CVSS V3.1

Timeline