Description

Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers. 'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 ยง6.3 requires recipients to treat this as an unrecoverable framing error. When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging. This issue affects bandit: before 1.11.0.

INFO

Published Date :

2026-05-01T20:34:29.400Z

Last Modified :

2026-05-02T04:17:41.202Z

Source :

EEF
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39805 vulnerability.

Vendors Products
Mtrudel
  • Bandit
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39805.

URL Resource
https://cna.erlef.org/cves/CVE-2026-39805.html cve-icon cve-icon
https://github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1 cve-icon cve-icon
https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7 cve-icon cve-icon cve-icon
https://osv.dev/vulnerability/EEF-CVE-2026-39805 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability