HTTP request smuggling in Kong Enteprise Gateway
CVE-2026-6338

4.9MEDIUM

Key Information:

Vendor: Kong
Status: Kong Enterprise Gateway
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-6338?

A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.

Affected Version(s)

Kong Enterprise Gateway Linux 3.4.0.0 < 3.4.3.27

Kong Enterprise Gateway Linux 3.10.0.0 < 3.10.0.12

Kong Enterprise Gateway Linux 3.11.0.0 < 3.11.0.12

References

https://support.konghq.com/support/s/article/CVE-2026-6338

vendor-advisory

CVSS V4

Score:

4.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-6338 Data

JSON