CVE-2026-39805: CVE-2026-39805: CL.CL HTTP Request Smuggling in Bandit Web Server

1 / 2

CVE-2026-39805: CVE-2026-39805: CL.CL HTTP Request Smuggling in Bandit Web Server

DEV Community·CVE Reports·26 days ago

#J9C4ItBv

#exploit #security #cve #cybersecurity #bandit #requests

Reading 0:00

15s threshold

CVE-2026-39805: CL.CL HTTP Request Smuggling in Bandit Web Server Vulnerability ID: CVE-2026-39805 CVSS Score: 6.3 Published: 2026-05-07 The Bandit HTTP server for Elixir versions prior to 1.11.0 fails to correctly process requests containing multiple Content-Length headers. This inconsistent interpretation creates a CL.CL HTTP request smuggling vulnerability when Bandit is deployed behind a reverse proxy that parses the headers differently. Attackers exploit this desynchronization to smuggle secondary HTTP requests past edge security controls. TL;DR Bandit < 1.11.0 accepts duplicate Content-Length headers and processes only the first one, violating RFC 9112. When deployed behind certain reverse proxies, this allows attackers to smuggle hidden HTTP requests to bypass frontend access controls.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-39805: CVE-2026-39805: CL.CL HTTP Request Smuggling in Bandit Web Server