CVE-2026-58055

MEDIUM 5.4

nghttp2 nghttpx - HTTP Request/Response Smuggling via Upgrade Request with Content-Length

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.

CWE	CWE-444
Vendor	nghttp2
Product	nghttp2
Published	Jun 28, 2026

Stay Ahead of the Next One

Get instant alerts for nghttp2 nghttp2

Be the first to know when new medium vulnerabilities affecting nghttp2 nghttp2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

nghttp2 / nghttp2

0 ≤ 1.69.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/bikini/exploitarium/tree/main/nghttp2-nghttpx-upgrade-queue-poison-poc github.com: https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e vulncheck.com: https://www.vulncheck.com/advisories/nghttp2-nghttpx-http-request-response-smuggling-via-upgrade-request-with-content-length

Credits

ashdfrkl