Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing
CVE-2026-44546

3.7LOW

Key Information:

Vendor: Djangoproject
Status: Daphne
Vendor: CVE Published:; 3 June 2026

🔔 Create Djangoproject Vulnerability Alert

What is CVE-2026-44546?

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.

Affected Version(s)

daphne 4.2.0 <= 4.2.1

daphne 4.2.2

References

https://github.com/django/daphne/blob/main/CHANGELOG.txt

release-notes

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
May 6, 2026

Credit

Rene Henningsen

Carlton Gibson

CVE-2026-44546 Data

JSON