Medium severity4.0NVD Advisory· Published Apr 13, 2026· Updated Apr 22, 2026
CVE-2026-33555
CVE-2026-33555
Description
An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
7- osv-coords5 versionspkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/haproxy&distro=openSUSE%20Tumbleweedpkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP6pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP7pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Micro%206.2
< 3.2.15+git64.0fc44b458-160000.2.1+ 4 more
- (no CPE)range: < 3.2.15+git64.0fc44b458-160000.2.1
- (no CPE)range: < 3.3.6+git91.af5637e93-1.1
- (no CPE)range: < 2.8.11+git0.01c1056a4-150600.3.12.1
- (no CPE)range: < 2.8.11+git0.01c1056a4-150600.3.12.1
- (no CPE)range: < 3.2.15+git64.0fc44b458-160000.2.1
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.