envoyproxy envoy up to 1.35.10/1.36.6/1.37.2/1.38.0 request smuggling

Summaryinfo

A vulnerability was found in envoyproxy envoy up to 1.35.10/1.36.6/1.37.2/1.38.0. It has been rated as problematic. This impacts an unknown function. The manipulation leads to request smuggling. This vulnerability is traded as CVE-2026-48743. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in envoyproxy envoy up to 1.35.10/1.36.6/1.37.2/1.38.0. This issue affects an unknown function. The manipulation with an unknown input leads to a request smuggling vulnerability. Using CWE to declare the problem leads to CWE-444. The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In an HTTP/1 upstream deployment where the origin replies before reading the declared body and keeps the connection reusable, the beginning of the next Envoy-generated upstream request can be consumed as the first request's body. The remaining bytes are then parsed by the origin as a new HTTP/1 request. This was reproduced as a route-bypass/desync: direct /pwn was denied by Envoy, but the second downstream H3 stream received the response for backend-parsed GET /pwn HTTP/1.1. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2026-48743 since 05/22/2026. The exploitation is known to be difficult. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 1.35.11, 1.36.7, 1.37.3 or 1.38.1 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Firewall Software

Vendor

• envoyproxy

Name

• envoy

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 1.6
• 1.7
• 1.8
• 1.9
• 1.10
• 1.11
• 1.12
• 1.13
• 1.14
• 1.15
• 1.16
• 1.17
• 1.18
• 1.19
• 1.20
• 1.21
• 1.22
• 1.23
• 1.24
• 1.25
• 1.26
• 1.27
• 1.28
• 1.29
• 1.30
• 1.31
• 1.32
• 1.33
• 1.34
• 1.35
• 1.35.0
• 1.35.1
• 1.35.2
• 1.35.3
• 1.35.4
• 1.35.5
• 1.35.6
• 1.35.7
• 1.35.8
• 1.35.9
• 1.35.10
• 1.36
• 1.36.0
• 1.36.1
• 1.36.2
• 1.36.3
• 1.36.4
• 1.36.5
• 1.36.6
• 1.37
• 1.37.0
• 1.37.1
• 1.37.2
• 1.38.0

License

• free

Website

• Product: https://github.com/envoyproxy/envoy/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion