CVE-2026-50052

Vulnerability

A deficiency in HTTP/2 request parsing affects Vinyl Cache versions 9.0.0 and Varnish Cache versions up to and including 9.0.2, 7.6.0 through 8.0.1, and 6.0.14 through 6.0.17. This vulnerability can only be exploited if HTTP/2 support is enabled by setting the feature parameter to include +http2, which is disabled by default [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP/2 requests. This allows them to perform a backend request desync attack, also known as request smuggling. The attacker needs network access to the affected service and requires HTTP/2 to be enabled. The specific steps involve manipulating the HTTP/2 request parsing to cause a desynchronization between the frontend and backend servers [1].

Impact

Successful exploitation of this vulnerability can lead to cache poisoning, authentication bypass, and potentially information disclosure or manipulation. The scope of the impact depends on the configuration of the cache and backend services, but it can compromise the integrity and confidentiality of data served through the cache [1].

Mitigation

To mitigate this vulnerability, it is recommended to upgrade to Vinyl Cache 9.0.1 or later, or Varnish Cache 9.0.3, 8.0.2, or 6.0.18 or later. Alternatively, HTTP/2 support can be disabled at runtime using vinyladm param.set feature -http2 or by removing +http2 from startup parameters. If using a TLS offloader, it must be configured to no longer send the h2 ALPN. VCL-level mitigations are also available to close desyncs by rendering smuggled requests invalid and avoiding backend connection reuse [1].