HTTP Header Injection Vulnerability in Netty Framework
CVE-2026-42578

2.9LOW

Key Information:

Vendor: Netty
Status: Netty
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42578?

The Netty Framework, an event-driven network application framework, contains a vulnerability that allows an attacker to inject arbitrary HTTP headers into CONNECT requests due to header validation being disabled. Specifically, prior versions fail to validate user-provided outbound headers when creating HTTP CONNECT requests. This behavior, originating from the implementation in the newInitialMessage() method, can lead to exploitation if an attacker can manipulate outbound headers. The vulnerability has been addressed in versions 4.2.13.Final and 4.1.133.Final.

Affected Version(s)

netty >= 4.2.0.Alpha1, < 4.2.13.Final < 4.2.0.Alpha1, 4.2.13.Final

netty < 4.1.133.Final < 4.1.133.Final

References

https://github.com/netty/netty/security/advisories/GHSA-4...

x_refsource_CONFIRM

CVSS V4

Score:

2.9

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42578 Data

JSON