CVE-2026-26365 MEDIUM

CVE-2026-26365

Vendor Akamai
Product Ghost
Weakness CWE-444
Published February 23, 2026
Last update February 23, 2026

CVSS base score

4.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling.

Key dates

02Disclosure timeline

February 23, 2026 CVE published
February 23, 2026 Record updated