Today we’re disclosing request smuggling vulnerabilities when our open source Pingora service is deployed as an ingress proxy and how we’ve fixed them in Pingora 0.8.0.

Cloudflare's platform is a leading provider of internet security and performance solutions, offering insights into web security, content delivery, and DNS management. Through documentation, blog posts, and webinars, Cloudflare provides insights into protecting websites and applications from cyber threats and improving performance. Developers and IT professionals can learn about CDN (Content Delivery Network), DDoS mitigation, and firewall configurations to secure and accelerate web traffic.

Cloudflare

Cloudflare disclosed three HTTP/1.x request smuggling vulnerabilities (CVE-2026-2833, CVE-2026-2835, CVE-2026-2836) in the open-source Pingora proxy framework, patched in Pingora 0.8.0. The vulnerabilities affected standalone Pingora ingress deployments and could enable attackers to bypass proxy security controls, perform cross-user session hijacking, and poison caches. Three attack vectors are detailed: premature Upgrade header passthrough, improper Transfer-Encoding/HTTP 1.0 framing, and a default CacheKey construction flaw that ignored host headers. Cloudflare's own CDN was not affected due to architectural differences. Users of the Pingora framework are strongly urged to upgrade to 0.8.0 immediately.

Fixing request smuggling vulnerabilities in Pingora OSS deployments