HTTP Parser Vulnerability in Netty Incubator Codec by Netty
CVE-2026-48480

6.6MEDIUM

Key Information:

Vendor

Netty

Vendor
CVE Published:
4 June 2026

What is CVE-2026-48480?

The Netty Incubator Codec's binary HTTP parser, specifically the codec-ohttp implementation, has a significant security issue prior to version 0.0.22.Final. This vulnerability arises because it fails to verify the receipt of a cryptographically-signed final chunk before terminating the outer HTTP body. An on-path attacker, such as one controlling the OHTTP relay or any man-in-the-middle (MITM) in the communication, can exploit this flaw. They can forward a legitimate chunk of data prematurely, severing it at a non-final chunk boundary. As a result, the outer HTTP body can be closed without triggering decryption errors or exceptions in the receiving application, potentially leading to data exposure or unauthorized actions.

Affected Version(s)

netty-incubator-codec-ohttp < 0.0.22.Final

References

CVSS V4

Score:
6.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.