CVE-2026-39805 PUBLISHED

CL.CL HTTP request smuggling via duplicate Content-Length in bandit

Assigner: EEF
Reserved: 07.04.2026 Published: 01.05.2026 Updated: 02.05.2026

Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers.

'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error.

When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.

This issue affects bandit: before 1.11.0.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	mtrudel
Product	bandit
Versions	Default: unaffected affected from 0 to 1.11.0 (excl.)

Vendor	mtrudel
Product	bandit
Versions	Default: unaffected affected from 0 to 1.11.0 (excl.)

Credits

Peter Ullrich finder
Mat Trudel remediation developer
Jonatan Männchen analyst

References

Problem Types

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE

Impacts

CAPEC-33 HTTP Request Smuggling