CVE-2026-33555
EUVD-2026-2199713.04.2026, 17:16
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| haproxy | haproxy | 2.6.0 ≤ 𝑥 < 3.3.6 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References