External risk intelligence

Tinyproxy Duplicate Content-Length HTTP Request Smuggling.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-54388

A vulnerability exists in Tinyproxy that allows remote attackers to desynchronize proxy and backend parser states by sending requests with multiple, differing `Content-Length` headers. This can enable attackers to inject arbitrary HTTP requests to backend systems, potentially leading to cache poisoning, access control

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Tinyproxy is a lightweight HTTP/HTTPS proxy server designed to handle network traffic. Proxies are typically deployed at the edge of a network or as intermediaries for web requests, making them inherently reachable from the network or internet to perform their function of forwarding and managing HTTP requests.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves a flaw in the Tinyproxy software that could allow attackers to manipulate web requests passing through it. The issue arises from how the proxy handles multiple "Content-Length" headers in a single request, potentially enabling them to inject malicious commands or bypass security controls on backend systems. The primary concern is to confirm if your environment utilizes this specific proxy technology and is exposed to this type of manipulation.

  • Proxy mishandles multiple content length headers.
  • Attackers can manipulate backend requests.
  • Confirm if this proxy is in use.

Attack Path

How an attacker could exploit the issue

Attackers can exploit this vulnerability by sending specially crafted HTTP requests to a vulnerable proxy. The proxy, when encountering duplicate `Content-Length` headers with different values, misinterprets the request body size. This desynchronization between the proxy and the backend server's understanding of the request allows attackers to inject malicious HTTP requests. These injected requests can then lead to actions like cache poisoning, bypassing access controls, or hijacking other users' requests.

  • Exposed to network, no authentication needed.
  • Multiple differing `Content-Length` headers.
  • Request smuggling, cache poisoning, and bypasses.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to inject arbitrary HTTP requests into backend systems by desynchronizing the proxy and backend parser states. This can lead to cache poisoning, bypass of access controls, and request hijacking when the proxy is used to forward requests.

  • Backend HTTP requests and responses.
  • Desynchronized proxy and backend parsing.
  • Cache poisoning and access control bypass.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Tinyproxy impacts infrastructure teams responsible for proxy services and potentially application owners whose backends are exposed. The first practical step is to identify all Tinyproxy instances, confirm their reachability and business criticality, and then locate the accountable owner to plan remediation, potentially involving vendor coordination or temporary risk reduction if immediate patching is not feasible.

  • Infrastructure and application owners should address.
  • Verify Tinyproxy instances and reachability first.
  • Plan remediation based on exposure and criticality.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-54388 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows attackers to inject arbitrary HTTP requests, bypass access controls, and hijack requests, which would likely cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Tinyproxy?

Tinyproxy is a lightweight, open-source HTTP/HTTPS proxy server. It acts as an intermediary between a client and a web server, forwarding requests and managing traffic. Because of its minimal resource requirements, it is often deployed in resource-constrained environments or as a simple gateway for web requests.

What does CVE-2026-54388 mean?

This vulnerability is an HTTP request smuggling flaw, categorized as CWE-444. It occurs when Tinyproxy incorrectly processes multiple Content-Length headers in a single request. By providing conflicting values, an attacker can confuse the proxy about the size of the request body, causing it to become desynchronized with the backend server. This mismatch allows the attacker to hide malicious requests inside the legitimate stream, leading to unauthorized actions.

How does an attacker trigger this vulnerability?

An attacker triggers this flaw by sending a crafted HTTP request containing multiple, differing Content-Length headers to the proxy. The vulnerability is not triggered by standard, well-formed requests that contain only a single, consistent Content-Length header. The issue specifically relies on the proxy forwarding these conflicting headers to the backend while inconsistently calculating the body size, which enables the underlying desynchronization.

Is my Tinyproxy instance at risk?

If your Tinyproxy instance is accessible from the network or the internet, it is considered potentially exposed. Halo Surface Signal identifies this as a higher-risk scenario because proxies are designed to receive and process external traffic, providing a direct pathway for attackers to reach the backend systems. Internal instances may be less accessible, but any proxy accepting untrusted traffic should be reviewed.

What are the first steps to address this issue?

Begin by auditing your infrastructure to locate all active Tinyproxy instances. Once identified, evaluate which proxies are reachable from the internet or untrusted networks and determine their business criticality. Coordinate with the relevant system owners to plan for updates, as the fix involves applying a code change to the software. If patching is not immediately possible, consider isolating the affected proxy from external traffic.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished