CVE-2026-1760 in SoupServer
Summary
by MITRE • 02/02/2026
A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests, causing SoupServer to fail to close the connection as required by RFC 9112. This allows the attacker to smuggle additional requests over the persistent connection, leading to unintended request processing and potential denial-of-service (DoS) conditions.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/19/2026
This vulnerability resides within SoupServer an HTTP server implementation that fails to properly handle specific combinations of HTTP headers leading to a critical HTTP request smuggling flaw. The technical root cause stems from improper header parsing and connection management when both Transfer-Encoding: chunked and Connection: keep-alive headers are present in a single request. According to RFC 9112 the HTTP/1.1 specification requires that when chunked encoding is used the connection should be closed after the request is processed unless explicitly stated otherwise through the Connection header. The flaw occurs because SoupServer does not correctly interpret this interaction between these headers and fails to enforce proper connection closure as mandated by the HTTP specification. This misinterpretation creates a scenario where the server maintains persistent connections despite the presence of chunked encoding which violates fundamental HTTP protocol behavior.
The operational impact of this vulnerability extends beyond simple protocol violation into serious security implications including potential request smuggling attacks that can be executed by remote unauthenticated attackers. Attackers can craft malicious requests that exploit this behavior to inject additional requests into the same connection stream, effectively allowing them to manipulate the server's request processing pipeline. This technique enables attackers to perform various malicious activities including cache poisoning, bypassing access controls, and conducting cross-site request forgery attacks. The vulnerability particularly affects persistent connections where multiple requests are handled over the same TCP connection, making it especially dangerous in high-traffic environments where connection reuse is common. Additionally the flaw can lead to denial-of-service conditions as the server may become confused about request boundaries and potentially crash or become unresponsive when processing malformed requests.
The security implications align with CWE-444 HTTP Request Smuggling which specifically addresses vulnerabilities where HTTP requests are improperly handled due to incorrect interpretation of headers and connection management. This vulnerability also maps to ATT&CK technique T1190 for exploitation of vulnerabilities in web applications through HTTP smuggling attacks. The attack vector requires no authentication and can be executed remotely, making it particularly dangerous for publicly accessible web services. The flaw demonstrates a failure in proper HTTP protocol implementation and highlights the importance of strict adherence to RFC specifications in web server implementations. Organizations using SoupServer should immediately implement mitigations including disabling chunked encoding for vulnerable endpoints, implementing strict header validation, and monitoring for suspicious request patterns that may indicate exploitation attempts. The vulnerability serves as a reminder of the critical importance of proper HTTP implementation in preventing sophisticated attacks that exploit fundamental protocol behaviors.