Medium severityNVD Advisory· Published May 1, 2026· Updated May 5, 2026

CVE-2026-39805

Description

Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers.

'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error.

When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.

This issue affects bandit: before 1.11.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
banditHex	< 1.11.0	1.11.0

Affected products

Mtrudel/Banditreferences

Patches

f2ca636eb6df

Merge commit from fork

https://github.com/mtrudel/banditMat TrudelMay 1, 2026via ghsa

commit

2 files changed · +25 −3

lib/bandit/headers.ex+5 −3 modified

@@ -49,9 +49,11 @@ defmodule Bandit.Headers do
   @spec get_content_length(Plug.Conn.headers()) ::
           {:ok, nil | non_neg_integer()} | {:error, String.t()}
   def get_content_length(headers) do
-    case get_header(headers, "content-length") do
-      nil -> {:ok, nil}
-      value -> parse_content_length(value)
+    # We need to special case this because we don't accept multiple content-length headers
+    case Enum.filter(headers, &(elem(&1, 0) == "content-length")) do
+      [] -> {:ok, nil}
+      [{"content-length", value}] -> parse_content_length(value)
+      _ -> {:error, "invalid content-length header (RFC9112§6.3)"}
     end
   end

test/bandit/http1/protocol_test.exs+20 −0 modified

@@ -828,6 +828,26 @@ defmodule HTTP1ProtocolTest do
       send_resp(conn, 200, "OK")
     end
 
+    # Error case for content-length as defined in https://www.rfc-editor.org/rfc/rfc9112.html#section-6.3-2.5
+    @tag :capture_log
+    test "rejects a request with multiple separate content length headers, even if identical",
+         context do
+      # Use a smaller body size to avoid raciness in reading the response
+      response =
+        Req.post!(context.req,
+          url: "/expect_body_with_multiple_content_length",
+          headers: [{"content-length", "8000"}, {"content-length", "8000"}],
+          body: String.duplicate("a", 8_000)
+        )
+
+      assert response.status == 400
+
+      assert_receive {:log, %{level: :error, msg: {:string, msg}}}, 500
+
+      assert msg ==
+               "** (Bandit.HTTPError) Content length unknown error: \"invalid content-length header (RFC9112§6.3)\""
+    end
+
     # Error case for content-length as defined in https://www.rfc-editor.org/rfc/rfc9112.html#section-6.3-2.5
     @tag :capture_log
     test "rejects a request with non-matching multiple content lengths", context do

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-c67r-gc9j-2qf7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-39805ghsaADVISORY
cna.erlef.org/cves/CVE-2026-39805.htmlnvdWEB
github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1nvdWEB
github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7nvdWEB
osv.dev/vulnerability/EEF-CVE-2026-39805nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000