Blog Security Research CVE-2026-26365: Incorrect processing of “Connection: Transfer-Encoding” On February 6, 2026, Akamai eliminated a potential HTTP request smuggling vector, due to a bug in the processing of custom hop-by-hop HTTP headers. Background HTTP defines a set of hop-by-hop  headers intended to be processed only by the first proxy receiving them and then immediately removed from the request, never forwarded to the next server.  In addition to the hop-by-hop headers specified in the HTTP standard, clients can define their own custom hop-by-hop headers by listing these header names in the “Connection” header; for example, “Connection: My-Custom-Hop-By-Hop-Header.” Vulnerability details Akamai edge servers contained a bug due to improper processing of requests specifying “Transfer-Encoding” as a custom hop-by-hop header.…