HTTP Request Smuggling Vulnerability in mtrudel Bandit Web Server
CVE-2026-39805

6.3MEDIUM

Key Information:

Vendor: Mtrudel
Status: Bandit
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-39805?

The Bandit web server by mtrudel contains a vulnerability in its handling of HTTP requests, allowing an attacker to exploit situations where duplicate Content-Length headers are present. The library's function mistakenly processes only the first Content-Length header, disregarding subsequent ones. This leads to a scenario where a malicious actor can send specially crafted HTTP requests that bypass security measures like web application firewalls (WAFs) and rate limiting, allowing unauthorized access or manipulation of the server's behavior. This issue is significant when Bandit operates in a server environment that forwards requests without proper validation, potentially allowing the execution of smuggled requests that should have been rejected as errors.

Affected Version(s)

bandit 0 < 1.11.0

References

https://github.com/mtrudel/bandit/security/advisories/GHS...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-39805.html

https://osv.dev/vulnerability/EEF-CVE-2026-39805

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Peter Ullrich

Mat Trudel

Jonatan Männchen

CVE-2026-39805 Data

JSON