HTTP Request Smuggling Vulnerability in Tinyproxy by Tinyproxy
CVE-2026-54387

9.3CRITICAL

Key Information:

Vendor

Tinyproxy

Status
Tinyproxy
Vendor
CVE Published:
17 June 2026

What is CVE-2026-54387?

Tinyproxy versions up to 1.11.3 exhibit a serious vulnerability due to improper handling of conflicting Content-Length and Transfer-Encoding headers. This flaw allows remote attackers to desynchronize the proxy and backend server state by forwarding both headers unchanged, which can lead to cache poisoning, bypass of access controls, and potential hijacking of requests. By exploiting this vulnerability, attackers can manipulate how requests are processed, potentially compromising the integrity and confidentiality of backend applications.

Affected Version(s)

tinyproxy 0 <= 1.11.3

tinyproxy 0 <= 1.11.3

tinyproxy ff45d3bf0e61d0f8ed97ab379d3047f04eb67521

References

https://github.com/tinyproxy/tinyproxy/issues/609
technical-description
https://github.com/tinyproxy/tinyproxy/pull/610
issue-tracking
https://github.com/tinyproxy/tinyproxy/commit/ff45d3bf0e6...
patch

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tristan Madani (@TristanInSec)
.