Low severityNVD Advisory· Published Jun 3, 2026· Updated Jun 4, 2026
CVE-2026-50052
CVE-2026-50052
Description
In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: <9.0.3
- Range: <9.0.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.