Bug 2447141 (CVE-2026-1527) - CVE-2026-1527 undici: Undici: HTTP header injection and request smuggling vulnerability
Summary: CVE-2026-1527 undici: Undici: HTTP header injection and request smuggling vul...
Keywords:
Status: NEW
Alias: CVE-2026-1527
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2447175 2447169 2447172 2447178
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-12 21:01 UTC by OSIDB Bzimport
Modified: 2026-04-13 02:47 UTC (History)
54 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:7350 0 None None None 2026-04-09 20:20:26 UTC
Red Hat Product Errata RHSA-2026:7670 0 None None None 2026-04-13 02:47:22 UTC
Red Hat Product Errata RHSA-2026:7675 0 None None None 2026-04-13 02:22:58 UTC

Description OSIDB Bzimport 2026-03-12 21:01:44 UTC 
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

  *  Inject arbitrary HTTP headers
  *  Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)
The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
  header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
Comment 2 errata-xmlrpc 2026-04-09 20:20:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7350 https://access.redhat.com/errata/RHSA-2026:7350
Comment 3 errata-xmlrpc 2026-04-13 02:22:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:7675 https://access.redhat.com/errata/RHSA-2026:7675
Comment 4 errata-xmlrpc 2026-04-13 02:47:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:7670 https://access.redhat.com/errata/RHSA-2026:7670
Note You need to log in before you can comment on or make changes to this bug.