216.73.216.133

CVE-2026-39805

· Published 01/05/2026 21:16 · Modified 01/05/2026 21:16

Labels: CVE-2026-39805 2026-05-016b3ad84c-e1a6-4bf7-a703-f496b71e49dbCVE-2026-39805CWE-444

Essential information

Published
01/05/2026 21:16
Modified
01/05/2026 21:16
Author
Creator
CVSS
6.3 MEDIUM (v3) 6.3 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers. 'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error. When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging. This issue affects bandit: before 1.11.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
NVD
View on NVD

Affected products (CPE)

ProductCPE
mtrudel / bandit cpe:2.3:a:mtrudel:bandit:<1.11.0:*:*:*:*:*:*:*

References