What is CVE-2026-2708?

CVE-2026-2708 is a low-severity vulnerability in Gnome Libsoup, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 3.7/10. Published 2026-04-23.

How severe is CVE-2026-2708?

Low severity. CVSS v3 base score is 3.7 out of 10.

Vulnerability in Gnome Libsoup

CVE-2026-2708

A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplica…

Vulnerability class: HTTP Request Smuggling

EPSS: 0.001 (16.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.7 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.

Affected products

Gnome Libsoup
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Redhat Enterprise_linux — versions 6.0, 7.0, 8.0

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

References

secalert@redhat.com (x_refsource_REDHAT, vdb-entry, Vendor Advisory)
RHBZ#2440743 (x_refsource_REDHAT, issue-tracking, Issue Tracking, Vendor Advisory)
secalert@redhat.com (Exploit, Issue Tracking, Vendor Advisory)
secalert@redhat.com (Issue Tracking)

Frequently asked questions

What is CVE-2026-2708?: CVE-2026-2708 is a low-severity vulnerability in Gnome Libsoup, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 3.7/10. Published 2026-04-23.
How severe is CVE-2026-2708?: Low severity. CVSS v3 base score is 3.7 out of 10.