Skip to Content

Fixing Request Smuggling Vulnerabilities in Pingora OSS Deployments (2026)

10 March 2026 by
Suraj Barman

Context & History

In December 2025 Cloudflare received reports of three HTTP/1.x request smuggling flaws affecting the Pingora open‑source framework when it is used as an ingress proxy. The issues, catalogued as CVE‑2026‑2833, CVE‑2026‑2835, and CVE‑2026‑2836, were disclosed by security researcher Rajat Raghav (xclow3n). Cloudflares own CDN traffic was not impacted because Pingora is not deployed as an ingress proxy in that environment, but standalone deployments exposed to the internet could suffer desynchronisation attacks, cache poisoning, and credential leakage. The vulnerabilities stem from non‑RFC‑compliant handling of request bodies and Upgrade headers in Pingoras HTTP/1 stack.

Implementation & Best Practices

Before applying any configuration changes, follow this roadmap: (1) audit your current Pingora version, (2) back up existing configuration files, (3) upgrade to Pingora 0.8.0 or later, (4) verify that the upgrade and transfer‑encoding handling flags are set to strict mode, and (5) run regression tests against typical backend services. This sequence ensures a smooth transition and avoids accidental service interruption.

Understanding the Vulnerabilities

The first flaw involved the Upgrade header. Pingora would forward any bytes following the Upgrade request to the backend even when the backend responded with 200 OK instead of the required 101 Switching Protocols. An attacker could then pipeline a second request, causing the backend to mix user contexts. The second flaw was a classic Content‑Length vs Transfer‑Encoding mismatch (CL.TE). Pingora gave priority to Content‑Length while the backend relied on chunked encoding, leading to body‑framing confusion. The third issue combined the two patterns with HTTP/1.0 semantics, allowing close‑delimited bodies that are not permitted for requests.

Patching in Pingora 0.8.0

Version 0.8.0 introduces three key changes:

  • Strict validation of the Upgrade flow - Pingora now waits for a definitive 101 response before treating subsequent bytes as an upgraded stream.
  • Improved Transfer‑Encoding parsing - multiple encodings are recognised and the final encoding must be chunked before chunked framing is applied.
  • Enforced request‑body framing - close‑delimited bodies are rejected for HTTP/1.x requests, aligning with the RFC.

After upgrading, enable the new security flags in pingora.conf:

http1.strict_upgrade = true
http1.strict_te = true
http1.reject_close_body = true

Deploying Securely

Beyond the patch, adopt these operational practices:

  • Disable keep‑alive for any request that includes an Upgrade header to prevent pipelining.
  • Log any occurrence of mixed Content‑Length and Transfer‑Encoding headers for post‑mortem analysis.
  • Run regular scans with a HTTP smuggling testing tool to catch regressions.

For deeper insight into handling edge‑case HTTP traffic, refer to this guide on legacy protocol handling. A related discussion on securing media pipelines can be found here.

Key Takeaways

  • Upgrade handling must be strict.
  • Always prioritize Transfer‑Encoding over Content‑Length when both appear.
  • Close‑delimited request bodies are a security risk and should be rejected.
  • Upgrade to Pingora 0.8.0 promptly and enable the new strict mode flags.