CVE-2026-50052 PUBLISHED

Assigner: mitre
Reserved: 03.06.2026 Published: 03.06.2026 Updated: 03.06.2026

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Green
CVSS Score: 2.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	Low
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	The Vinyl Cache Project
Product	Vinyl Cache
Versions	Default: unaffected Version 9.0.0 is affected Version 9.0.1 is unaffected

Vendor	The Vinyl Cache Project
Product	Varnish Cache (pre split)
Versions	Default: unaffected affected from 7.6.0 to 8.0.1 (incl.) Version 8.0.2 is unaffected affected from 6.0.14 to 6.0.17 (incl.) Version 6.0.18 is unaffected

Vendor	Varnish Software
Product	Varnish Cache by Varnish Software
Versions	Default: unaffected affected from 9.0.0 to 9.0.2 (incl.) Version 9.0.3 is unaffected

Affected Configurations

http2 enabled

exploitable URLs present (require request body)

Workarounds

6.0 plain VCL mitigationFor version 6.0 LTS, this method works in pure VCL with no other changes required. The following snippet needs to be added at the top of the custom VCL:

<h2>BEGIN vsv19 mitigation</h2> <h1></h1>

sub recv_vsv19 { unset req.http.vsv19; if (req.proto != "HTTP/2.0" || ! req.http.content-length) { return; } set req.http.vsv19 = "1"; set req.http.content-length = req.http.content-length; } sub vcl_recv { call recv_vsv19; } sub vcl_backend_fetch { if (bereq.http.vsv19) { set bereq.http.Connection = "close"; } }

<h1></h1> <h2>END vsv19 mitigation</h2>

In addition, care must be taken that bereq.http.Connection is not unset anywhere else in the custom VCL.

Solutions

Update to fix version

References

https://vinyl-cache.org/security/VSV00019.html

Problem Types

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE