CVE-2026-54387

CRITICAL 9.1

Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the proxy and backend parser state, allowing injection of arbitrary HTTP requests to the backend to enable cache poisoning, access control bypass, and request hijacking.

CWE	CWE-444
Vendor	tinyproxy
Product	tinyproxy
Published	Jun 17, 2026
Last Updated	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for tinyproxy tinyproxy

Be the first to know when new critical vulnerabilities affecting tinyproxy tinyproxy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

tinyproxy / tinyproxy

0 ≤ 1.11.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/tinyproxy/tinyproxy/issues/609 github.com: https://github.com/tinyproxy/tinyproxy/pull/610 github.com: https://github.com/tinyproxy/tinyproxy/commit/ff45d3bf0e61d0f8ed97ab379d3047f04eb67521 vulncheck.com: https://www.vulncheck.com/advisories/tinyproxy-http-request-smuggling-via-cl-te-desynchronization

Credits

Tristan Madani (@TristanInSec)