PatchSiren cyber security CVE debrief
CVE-2026-50020 netty CVE debrief
CVE-2026-50020 is a vulnerability in Netty's HttpObjectDecoder. Prior to versions 4.1.135.Final and 4.2.15.Final, the decoder skips certain bytes, including non-CRLF control characters, which can lead to request-boundary confusion in pipelined or multiplexed transports. This vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity.
- Vendor
- netty
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-15
Who should care
Users of Netty versions prior to 4.1.135.Final and 4.2.15.Final should be aware of this vulnerability and take steps to upgrade to a patched version.
Technical summary
The HttpObjectDecoder in Netty skips certain bytes, including non-CRLF control characters, before reading the first request-line. This behavior goes beyond the robustness allowance specified in RFC 9112 ยง2.2 and can be exploited for request-boundary confusion.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Netty version 4.1.135.Final or 4.2.15.Final or later.
- Review and update affected applications to ensure they are using a patched version of Netty.
Evidence notes
This vulnerability was patched in Netty versions 4.1.135.Final and 4.2.15.Final. See [ref-4](https://github.com/netty/netty/releases/tag/netty-4.1.135.Final), [ref-5](https://github.com/netty/netty/releases/tag/netty-4.2.15.Final), and [ref-6](https://github.com/netty/netty/security/advisories/GHSA-hvcg-qmg6-jm4c) for more information.
Official resources
CVE-2026-50020 was published on 2026-06-12T16:16:31.447Z and modified on 2026-06-12T17:16:24.827Z.