CVE-2026-33555

MEDIUM 4.0

CVSS Score

4.0

EPSS Score

0.0%

EPSS Percentile

1th

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

CWE	CWE-130
Vendor	haproxy
Product	haproxy
Published	Apr 13, 2026
Last Updated	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for haproxy haproxy

Be the first to know when new medium vulnerabilities affecting haproxy haproxy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

HAProxy / HAProxy

2.6 < 3.3.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

haproxy.org: https://www.haproxy.org haproxy.com: https://www.haproxy.com/documentation/haproxy-aloha/changelog/ github.com: https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84 mail-archive.com: https://www.mail-archive.com/[email protected]/msg46752.html r3verii.github.io: https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html