High severity7.5NVD Advisory· Published May 6, 2026· Updated May 11, 2026

CVE-2026-40562

Description

Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence.

Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence.

An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy.

Affected products

Pachno/Gazelleinferred
Range: <=0.49
Package: https://pypi.org/project/gazelle
Kazeburo/Gazelle
cpe:2.3:a:kazeburo:gazelle:*:*:*:*:*:perl:*:*
Range: <0.50

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patchnvdPatch
www.openwall.com/lists/oss-security/2026/05/06/7nvdMailing ListThird Party Advisory
datatracker.ietf.org/doc/html/rfc7230nvdThird Party Advisory
metacpan.org/release/KAZEBURO/Gazelle-0.50/changesnvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000