HTTP Request Smuggling Vulnerability in Tinyproxy by Tinyproxy Team
CVE-2026-54388

9.3CRITICAL

Key Information:

Vendor

Tinyproxy

Status
Tinyproxy
Vendor
CVE Published:
17 June 2026

What is CVE-2026-54388?

Tinyproxy versions prior to 1.11.3 are susceptible to an HTTP request smuggling vulnerability due to improper handling of multiple Content-Length headers with varying values. When the proxy encounters such requests, it forwards all duplicate headers to the backend while using the first value to determine the body length. This flaw enables remote attackers to desynchronize the proxy and backend state. Consequently, they could exploit this vulnerability to inject arbitrary HTTP requests into the backend services, leading to potential cache poisoning, access control bypass, and request hijacking scenarios.

Affected Version(s)

tinyproxy 0 <= 1.11.3

tinyproxy 0 <= 1.11.3

tinyproxy 364cdb67e0ea00a8e4a7037e2693e0711e816adb

References

https://github.com/tinyproxy/tinyproxy/issues/609
technical-description
https://github.com/tinyproxy/tinyproxy/pull/610
issue-tracking
https://github.com/tinyproxy/tinyproxy/commit/364cdb67e0e...
patch

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tristan Madani (@TristanInSec)
.