CVE-2026-33555 MEDIUM

CVE-2026-33555

Vendor Haproxy
Product HAProxy
Weakness CWE-130
Published April 13, 2026
Last update April 22, 2026

CVSS base score

4.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

Key dates

02Disclosure timeline

April 13, 2026 CVE published
April 22, 2026 Record updated