CVE-2026-26365 PUBLISHED

Assigner: mitre
Reserved: 13.02.2026 Published: 23.02.2026 Updated: 23.02.2026

Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CVSS Score: 4

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Akamai
Product	Ghost
Versions	Default: unaffected affected from 0 to 2026-02-06 (excl.)

References

https://www.akamai.com/blog/security-research/cve-2026-26365-incorrect-processing-connection-transfer-encoding

Problem Types

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE