CVE-2026-50052
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.
| CWE | CWE-444 |
| Vendor | the vinyl cache project |
| Product | vinyl cache |
| Published | Jun 3, 2026 |
| Last Updated | Jun 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for the vinyl cache project vinyl cache
Be the first to know when new unknown vulnerabilities affecting the vinyl cache project vinyl cache are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
The Vinyl Cache Project / Vinyl Cache
9.0.0
The Vinyl Cache Project / Varnish Cache (pre split)
7.6.0 โค 8.0.1 6.0.14 โค 6.0.17
Varnish Software / Varnish Cache by Varnish Software
9.0.0 โค 9.0.2