CVE-2026-50052

Name: CVE-2026-50052
Creator: NVD / NIST
Published: 2026-06-03T06:16:35.39+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

LOWCVSS 2.3/10EPSS 0.32%

Last modified Jun 17, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.

Metrics

CVSS 4.0

2.3/10

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Green

EPSS Probability

0.32%

23.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-444

References

https://vinyl-cache.org/security/VSV00019.html

Timeline

Published: Jun 3, 2026
Last Modified: Jun 17, 2026
Status: Awaiting Analysis

Are you affected by CVE-2026-50052?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST