External risk intelligence

Tinyproxy HTTP Request Smuggling via Conflicting Headers.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-54387

A critical vulnerability exists in Tinyproxy, a web proxy software, where conflicting `Content-Length` and `Transfer-Encoding` headers can lead to desynchronization between the proxy and backend servers. This allows remote attackers to inject arbitrary HTTP requests, potentially enabling cache poisoning, access control

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Tinyproxy is commonly deployed as an internet-facing or edge-facing proxy service to manage and forward HTTP traffic. Its primary function is to act as an intermediary, making it a natural point of ingress for network requests in many standard deployment scenarios.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in Tinyproxy, a web proxy software. The issue allows attackers to craft malicious requests that can trick the proxy into forwarding unintended commands to backend servers, potentially leading to cache poisoning or unauthorized access. The main concern is confirming if Tinyproxy is in use and if it's exposed externally.

  • Attackers can manipulate web proxy requests.
  • Confirms proxy relevance and external exposure.
  • Understand if this proxy software is in use.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to a Tinyproxy instance. The proxy incorrectly processes conflicting `Content-Length` and `Transfer-Encoding` headers, leading to a desynchronization between the proxy and the backend server. This allows the attacker to inject arbitrary HTTP requests, potentially enabling them to poison caches, bypass access controls, or hijack user requests.

  • No authentication or specific access needed.
  • Conflicting HTTP headers in requests.
  • Arbitrary HTTP request injection.

Live Threat

Current exploitation, exposure, and threat context

The vulnerability could allow an attacker to desynchronize the proxy and backend server's understanding of HTTP requests. This desynchronization can enable an attacker to inject arbitrary HTTP requests into the backend, potentially leading to cache poisoning, bypassing access controls, or hijacking user requests. These attacks are possible when the proxy and backend misinterpret conflicting `Content-Length` and `Transfer-Encoding: chunked` headers.

  • Backend service request handling.
  • Conflicting HTTP headers processed.
  • Cache poisoning, access bypass.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Tinyproxy impacts organizations using it as an HTTP proxy, potentially affecting web application owners and infrastructure teams. The immediate priority is to identify all instances of Tinyproxy, assess their reachability and business criticality, and determine the accountable owner for remediation. Planning should then focus on risk-based mitigation.

  • Infrastructure and platform teams own remediation.
  • Verify proxy exposure and backend reachability.
  • Plan updates or vendor coordination.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-54387 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows attackers to inject HTTP requests, potentially leading to data compromise and bypass of security controls, which would cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Tinyproxy?

Tinyproxy is a lightweight, open-source HTTP/HTTPS proxy daemon. It is commonly deployed to manage, filter, and forward web traffic between clients and backend servers. Because it sits in the middle of these connections, it acts as a gatekeeper for network requests, making it a frequent choice for simple routing needs in various environments.

How does CVE-2026-54387 work?

This vulnerability is an HTTP Request Smuggling flaw (CWE-444). It occurs when Tinyproxy receives a request containing both Content-Length and Transfer-Encoding headers. Because the proxy and the backend server disagree on which header to prioritize, an attacker can 'smuggle' a hidden request that the backend processes as part of the next user's connection. This allows for unauthorized actions like cache poisoning or bypassing security checks.

What triggers this vulnerability?

The flaw is triggered when an attacker sends a specially crafted HTTP request that includes both conflicting headers simultaneously. It is not triggered by standard, well-formed HTTP requests that utilize only one method for defining message length. If the request does not intentionally create this header conflict, the proxy and backend will remain synchronized, and the exploit path is not engaged.

Why does Halo Surface Signal flag this as high relevance?

Halo Surface Signal identifies this as a significant concern because Tinyproxy is typically deployed as an edge-facing service. When a proxy is positioned to handle incoming traffic from the internet, it becomes a direct target for remote attackers. Since no authentication is required to send these crafted requests, any instance exposed to the internet is a potential entry point for the malicious request smuggling described in this advisory.

How should I respond if I run Tinyproxy?

First, conduct a discovery phase to identify all active instances of Tinyproxy within your infrastructure. Once identified, prioritize the assessment of those that are internet-facing or positioned at the edge of your network. Consult the provided technical resources to determine if you are running an affected version and coordinate with your infrastructure team to plan an update to the patched version as soon as possible.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished