CVE-2026-23941 in OTP
Summary
by MITRE • 03/13/2026
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling.
This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7.
The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-Length value. This violates RFC 9112 Section 6.3 and allows front-end/back-end desynchronization, leaving attacker-controlled bytes queued as the start of the next request.
This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/21/2026
The CVE-2026-23941 vulnerability represents a critical HTTP Request Smuggling flaw within the Erlang Open Telecom Platform's inets httpd module, specifically affecting the httpd_request.erl component. This vulnerability stems from an inconsistent interpretation of HTTP requests where the server fails to properly handle duplicate Content-Length headers, creating a fundamental mismatch between how the Erlang server processes requests versus how standard reverse proxies operate. The technical implementation resides in the httpd_request:parse_headers/7 routine which does not adequately normalize or reject duplicate Content-Length values, allowing malicious actors to manipulate request boundaries through carefully crafted HTTP headers.
The core technical flaw manifests when multiple Content-Length headers are present in an HTTP request, with the Erlang server utilizing the first occurrence for body parsing while mainstream reverse proxies such as nginx, Apache httpd, and Envoy consistently honor the last Content-Length value as per RFC 9112 Section 6.3 requirements. This fundamental disagreement in header interpretation creates a front-end/back-end desynchronization scenario where attacker-controlled bytes become queued as part of the subsequent request, effectively enabling HTTP request smuggling attacks. The vulnerability's impact is particularly severe because it leverages the natural behavior of modern web infrastructure where reverse proxies are commonly deployed in front of backend servers, creating a perfect storm for exploitation.
The operational implications of this vulnerability extend beyond simple request manipulation, as it enables sophisticated attack vectors including cache poisoning, session hijacking, and cross-site request forgery exploitation. Attackers can exploit this inconsistency to inject malicious content into subsequent requests or manipulate the server's interpretation of request boundaries, potentially leading to unauthorized access to backend services. The vulnerability affects a broad range of Erlang OTP versions from 17.0 through 28.4.1, with specific affected releases including OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to inets module versions 5.10 through 9.6.1 and 9.3.2.3 and 9.1.0.5, indicating this issue has been present for multiple major releases and affects substantial portions of the Erlang ecosystem. This vulnerability directly maps to CWE-444 and aligns with ATT&CK technique T1190 for exploitation through HTTP smuggling, making it particularly dangerous in environments where Erlang-based servers handle sensitive traffic.
Organizations utilizing affected Erlang OTP versions should prioritize immediate patching or mitigation strategies to address this vulnerability. The most effective immediate solution involves implementing strict Content-Length header validation and normalization within the server configuration, ensuring that duplicate headers are either rejected or properly normalized to a single value. Additionally, implementing proper request boundary detection mechanisms and deploying reverse proxies with explicit header validation can help mitigate the risk until a permanent patch is applied. The vulnerability's presence in both older and newer OTP releases underscores the importance of comprehensive security auditing across all deployed Erlang-based infrastructure, particularly in environments where HTTP request handling is critical to application security and data protection.