Vulnerability in The Vinyl Cache Project Varnish (Pre Split)

CVE-2026-50052

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authenticatio…

Vulnerability class: HTTP Request Smuggling

EPSS: 0.001 (24.3th percentile) — read the EPSS interpretation.

Affected products

The Vinyl Cache Project Varnish (Pre Split) — versions 7.6.0, 8.0.2, 6.0.14
The Vinyl Cache Project — versions 9.0.0, 9.0.1
Varnish Software Cache By — versions 9.0.0, 9.0.3

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

References

cve@mitre.org