Request Smuggling Vulnerability in Vinyl Cache and Varnish Cache
CVE-2026-50052

2.3LOW

Key Information:

Vendor: The Vinyl Cache Project
Status: Vinyl Cache; Varnish Cache (pre Split); Varnish Cache By Varnish Software
Vendor: CVE Published:; 3 June 2026

🔔 Create The Vinyl Cache Project Vulnerability Alert

What is CVE-2026-50052?

A vulnerability present in Vinyl Cache prior to version 9.0.1 and Varnish Cache prior to version 9.0.3 allows attackers to exploit deficiencies in HTTP/2 request parsing, leading to potential backend request desynchronization attacks. This can result in numerous security issues including cache poisoning, authentication bypass, and in some cases, information disclosure and manipulation. Notably, the attack vector is only active when HTTP/2 support is enabled, which is not the default configuration.

Affected Version(s)

Varnish Cache (pre split) 7.6.0 <= 8.0.1

Varnish Cache (pre split) 6.0.14 <= 6.0.17

Varnish Cache by Varnish Software 9.0.0 <= 9.0.2

References

https://vinyl-cache.org/security/VSV00019.html

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
Jun 3, 2026

CVE-2026-50052 Data

JSON