Infinite Loop Vulnerability in Bandit by mtrudel
CVE-2026-39806

8.7HIGH

Key Information:

Vendor: Mtrudel
Status: Bandit
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-39806?

A Denial of Service vulnerability exists in mtrudel's Bandit due to an Infinite Loop in the do_read_chunked_data! method. This vulnerability allows unauthenticated attackers to exhaust the worker process pool by sending specially crafted chunked requests containing trailer fields, leading the server to become unresponsive. The issue arises without requiring any special headers or large payloads, making it easily exploitable. Proxy servers like NGINX and HAProxy can exacerbate this issue by forwarding these requests, putting servers at risk without the need for direct malicious client interaction. Affected versions range from Bandit 1.6.1 to 1.11.0, necessitating an immediate upgrade to patch the vulnerability.

Affected Version(s)

bandit 1.6.1 < 1.11.1

bandit e73e379ab59840e8561b5730878f16e29ab06217

References

https://github.com/mtrudel/bandit/security/advisories/GHS...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-39806.html

https://osv.dev/vulnerability/EEF-CVE-2026-39806

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Peter Ullrich

Mat Trudel

Jonatan Männchen

CVE-2026-39806 Data

JSON

Mtrudel

What is CVE-2026-39806?

Affected Version(s)

References

CVSS V4

Timeline

Credit