Pingora OSS Deployment Vulnerabilities: Fixing Request Smuggling Issues

Cloudflare has addressed HTTP/1.x request smuggling vulnerabilities in the Pingora open source framework, specifically when used as an ingress proxy. The vulnerabilities, reported in December 2025, are CVE-2026-2833, CVE-2026-2835, and CVE-2026-2836. These issues were responsibly disclosed by Rajat Raghav (xclow3n) through Cloudflare's Bug Bounty Program.

Vulnerability Overview

The vulnerabilities allow attackers to bypass Pingora proxy-layer security controls, desync HTTP request/responses with backends for cross-user hijacking attacks (session or credential theft), and poison Pingora proxy-layer caches retrieving content from shared backends. The issues arise from Pingora's non-RFC-compliant interpretations of request bodies within its HTTP/1 stack.

Fix and Recommendations

Cloudflare has released Pingora 0.8.0 with fixes and hardening. While Cloudflare customers were not affected, users of the Pingora framework are strongly recommended to upgrade as soon as possible to prevent potential security risks.

Practical Implications for Developers

Developers using Pingora as an ingress proxy should prioritize upgrading to Pingora 0.8.0 to ensure the security of their applications. Additionally, they should review their HTTP/1.1 Upgrade process to ensure compliance with RFC 9110 and prevent potential desync attacks.