PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6733 undici CVE debrief

CVE-2026-6733 is a vulnerability in Undici's HTTP/1.1 client that allows response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests. This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse. The vulnerability impacts users who reuse keep-alive connections, and defenders should prioritize patching or applying workarounds.

Vendor
undici
Product
Unknown
CVSS
LOW 3.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-27
Advisory published
2026-06-17
Advisory updated
2026-06-27

Who should care

Users of Undici's HTTP/1.1 client, particularly those who reuse keep-alive connections, should be aware of this vulnerability and take steps to mitigate it. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess exposure and apply patches or workarounds.

Technical summary

The vulnerability is caused by the way Undici's HTTP/1.1 client handles responses on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes, causing responses to be delivered to the wrong requests. This can lead to response queue poisoning, impacting users who reuse keep-alive connections. The issue requires an attacker-controlled or compromised upstream HTTP/1.1 server.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade to undici v6.26.0, v7.28.0 or v8.5.0.
  • Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.

Evidence notes

The CVE record was published on 2026-06-17T18:18:05.473Z and was last modified on 2026-06-27T23:46:06.553Z. The NVD entry is currently Analyzed. This vulnerability affects users of Undici's HTTP/1.1 client who reuse keep-alive connections. Evidence is based on the CVE record and NVD entry. Defenders should verify affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T18:18:05.473Z and has not been modified since then. The NVD entry is currently Analyzed.