Vulnerability Description
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a
- https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.htm
- https://www.haproxy.com/documentation/haproxy-aloha/changelog/
- https://www.haproxy.org
- https://www.mail-archive.com/[email protected]/msg46752.html
- https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.htm
FAQ
What is CVE-2026-33555?
CVE-2026-33555 is a vulnerability with a CVSS score of 4.0 (MEDIUM). An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with...
How severe is CVE-2026-33555?
CVE-2026-33555 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33555?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.