CVE-2026-40562

CVE-2026-40562: Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence

Vendor Kazeburo
Product Gazelle
Weakness CWE-444
Published May 6, 2026
Last update May 7, 2026

CVSS base score

What the vulnerability does

01Description

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 7, 2026 Record updated