← back
CVE-2026-58055

nghttp2 nghttpx - HTTP Request/Response Smuggling via Upgrade Request with Content-Length

CVSS 6.3 MEDIUMEPSS 0.2%CWE-444
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 6.3EPSS 0.2%KEV nãoPoC públicaNuclei Metasploit Patch referenciado
Lifecycle
28 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N
Affected products
nghttp2 · nghttp2
public PoCs found1
cve_referencegithub.com/bikini/exploitarium/tree/main/nghttp2-nghttpx-upgrade-queue-poison-pocunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/bikini/exploitarium/tree/main/nghttp2-nghttpx-upgrade-queue-poison-pochttps://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1ehttps://www.vulncheck.com/advisories/nghttp2-nghttpx-http-request-response-smuggling-via-upgrade-request-with-content-length