VDB

CVE-2026-23941

CVE-2026-23941 PUBLISHED CVSS 6.900000095367432 MEDIUM

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request. This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.

EPSS 0.03% · 9.9th percentile

Risk Scores

CVSS v4.0
6.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
EPSS Score
0.03%
9.9th percentile

Affected Products

VendorProductVersions
ErlangOTP17.0, 07b8f441ca711f9812fad9e9115bab3c3aa92f79
ErlangOTPpkg:otp/ssh@3.0.1, 3.0.1

Timeline

  • Mar 13, 2026 EPSS Score
  • Mar 13, 2026 CVE Published
  • Mar 14, 2026 EPSS Score
  • Mar 15, 2026 EPSS Score
  • Mar 16, 2026 EPSS Score
  • Mar 17, 2026 EPSS Score
  • Mar 18, 2026 EPSS Score
  • Mar 19, 2026 PoC Published
  • Mar 19, 2026 EPSS Score
  • Mar 19, 2026 PoC Published
  • Mar 20, 2026 EPSS Score
  • Mar 21, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›