2464590 – (CVE-2026-39805) CVE-2026-39805 bandit: Bandit: HTTP Request Smuggling via Duplicate Content-Length Headers

Bug 2464590 (CVE-2026-39805) - CVE-2026-39805 bandit: Bandit: HTTP Request Smuggling via Duplicate Content-Length Headers

Summary: CVE-2026-39805 bandit: Bandit: HTTP Request Smuggling via Duplicate Content-L...

Keywords:
Status:	NEW
Alias:	CVE-2026-39805
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2477948
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-01 21:01 UTC by OSIDB Bzimport
Modified:	2026-05-15 17:59 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-01 21:01:49 UTC

Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers.

'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error.

When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.

This issue affects bandit: before 1.11.0.

Note You need to log in before you can comment on or make changes to this bug.