CVE-2026-33555 HAProxy CVE debrief

Who should care

Organizations using HAProxy versions between 2.6.0 and 3.3.6 should be aware of this vulnerability. This includes anyone who has not upgraded to version 3.3.6 or later. Given the potential for request smuggling, defenders should prioritize patching, especially if they handle sensitive data or have high security requirements.

Technical summary

The vulnerability exists in the HTTP/3 parser of HAProxy. Specifically, when a stream is closed with a frame that has an empty payload, the parser fails to verify if the received body length aligns with a previously announced content-length. This mismatch can lead to desynchronization between HAProxy and the backend server. An attacker could exploit this by smuggling requests, potentially bypassing security controls or leading to unauthorized access.

Defensive priority

Defenders should prioritize patching HAProxy to version 3.3.6 or later. In the interim, monitoring for unusual traffic patterns or backend server anomalies can help detect potential exploitation attempts.

Recommended defensive actions

• Upgrade HAProxy to version 3.3.6 or later.
• Monitor HAProxy and backend server logs for unusual activity.
• Review and update security controls to account for potential request smuggling.
• Implement additional monitoring to detect anomalies in traffic patterns.
• Consider compensating controls if patching is not immediately feasible.

Evidence notes

The CVE record and NVD detail provide comprehensive information about the vulnerability. Additional sources, including a detailed analysis of the exploit and mitigation strategies, are available. The earliest affected version is confirmed as 2.6.0, and the fix is included in version 3.3.6.

Official resources