CVE-2026-33555

low-risk

Published 2026-04-13

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

Do I need to act?

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.0/10 Medium

NETWORK / HIGH complexity

References (4)

https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a...

https://www.haproxy.com/documentation/haproxy-aloha/changelog/

https://www.haproxy.org

https://www.mail-archive.com/haproxy@formilux.org/msg46752.html

/ 100

low-risk

Severity 13/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal