PatchSiren cyber security CVE debrief
CVE-2026-6338 Kong CVE debrief
A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.
- Vendor
- Kong
- Product
- Kong Enterprise Gateway
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series should apply patches or mitigations to prevent exploitation.
Technical summary
The vulnerability has a CVSS score of 4.9 and is classified as MEDIUM severity. It allows attackers to smuggle and desynchronize HTTP requests, potentially leading to security issues.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates provided by Kong Gateway Enterprise to fix the parsing flaw in the HTTP request processing pipeline.
- Implement additional security measures to handle untrusted HTTP/1.1 traffic.
Evidence notes
The CVE record and NVD detail provide official information about the vulnerability.
Official resources
-
CVE-2026-6338 CVE record
CVE.org
-
CVE-2026-6338 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
02762ae7-200e-4b20-9b2b-a77d5b8fc4cb
CVE-2026-6338 was published on 2026-06-11T14:16:32.553Z and modified on 2026-06-11T15:32:52.983Z.