CVE-2026-58055

Source
https://cve.org/CVERecord?id=CVE-2026-58055
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-58055.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-58055
Downstream
Related
Published
2026-06-28T01:32:57.163Z
Modified
2026-07-18T08:15:54.846583Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
Summary
nghttp2 nghttpx - HTTP Request/Response Smuggling via Upgrade Request with Content-Length
Details

nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-444"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58055.json"
}
References

Affected packages

Git / github.com/nghttp2/nghttp2

Affected ranges

Type
GIT
Repo
https://github.com/nghttp2/nghttp2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.69.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.2.0
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.5.0
v0.5.1
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.7.0
v0.7.1
v0.7.10
v0.7.11
v0.7.12
v0.7.13
v0.7.14
v0.7.15
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.1.0
v1.1.1
v1.1.2
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.19.0
v1.2.0
v1.2.1
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.24.0
v1.25.0
v1.26.0
v1.27.0
v1.28.0
v1.29.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.30.0
v1.31.0
v1.32.0
v1.33.0
v1.34.0
v1.35.0
v1.36.0
v1.37.0
v1.38.0
v1.39.0
v1.4.0
v1.40.0
v1.41.0
v1.42.0
v1.43.0
v1.44.0
v1.45.0
v1.46.0
v1.47.0
v1.48.0
v1.49.0
v1.5.0
v1.50.0
v1.51.0
v1.52.0
v1.53.0
v1.54.0
v1.55.0
v1.56.0
v1.57.0
v1.58.0
v1.59.0
v1.6.0
v1.60.0
v1.61.0
v1.62.0
v1.63.0
v1.64.0
v1.65.0
v1.66.0
v1.67.0
v1.68.0
v1.69.0
v1.7.0
v1.8.0
v1.9.0
v1.9.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-58055.json"
vanir_signatures
[
    {
        "digest": {
            "line_hashes": [
                "62669387615303323169384784807387940316",
                "115080790988490787413685996575811120278",
                "179263697461216981645918178554272685340"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "src/shrpx_http3_upstream.cc"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-13b6665d",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "length": 267.0,
            "function_hash": "43673781966955899045931956832730952434"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/shrpx_downstream.cc",
            "function": "Downstream::can_detach_downstream_connection"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-1abf21d3",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "length": 436.0,
            "function_hash": "15312478888151856152257817533859698343"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/shrpx_https_upstream.cc",
            "function": "htp_bodycb"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-1c0a1bd9",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "line_hashes": [
                "335415222669132706788310483148624228597",
                "173763525734563539023556720790237966113",
                "26336645514048091626828772325135812659",
                "332658327525775409262924700958581618886",
                "331051049028590052329269734365712057987",
                "94891363389048758954505100948799485833",
                "53071911720402741194867203320445457700",
                "226412005289906365761738015286806834079",
                "14296952311681176136513808442889592665",
                "314794783837910270577995974583571519873",
                "12182432510740172648978883166040513298",
                "191974907531670169046728002021299746103",
                "249035190786871038042785344071240561092",
                "306163501767210135320847762562534127983",
                "271707945131709030372938911867023783914",
                "288958434755733859625253325083900147339",
                "173284736462089331223860413067302209432",
                "180711086737183085639257266863103013135",
                "204176032076996234692096308908285471500",
                "79797308695532850868261404554937465712",
                "88309084218894327149049472940941497331",
                "206683465124409223728164645947301925274",
                "159214503691684740056092173363449331309",
                "299251813917977328262637592426654826174",
                "211064287534445994613285903648861993234",
                "283465959567744566335347690900088579588",
                "317616304262636988257716799873491496014",
                "215920102260166639160847355760069429228",
                "71900137815719029863806708120212409171",
                "197122407888850147712015180024591813655",
                "137175851019764285630843860789751063548",
                "16534050313925651183077734541565503728",
                "138144508982577466908938714165649872569",
                "67323108729025449429528251356409438102",
                "144789569819539231731356888980040068227",
                "167924723323927702672588749033808093411",
                "283326674015974112618681099511545608323"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "src/shrpx_http_downstream_connection.cc"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-5d16616a",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "length": 766.0,
            "function_hash": "320163202767182877982379961795932377931"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/shrpx_http_downstream_connection.cc",
            "function": "HttpDownstreamConnection::write_first"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-6cf66e4f",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "length": 5274.0,
            "function_hash": "157954019425193704699618567891394583451"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/shrpx_https_upstream.cc",
            "function": "htp_hdrs_completecb"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-6fdc2a3a",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "length": 339.0,
            "function_hash": "28735875628849634731636185178761537981"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/shrpx_http_downstream_connection.cc",
            "function": "HttpDownstreamConnection::end_upload_data"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-7e93f83e",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "line_hashes": [
                "295538217625771244266315532608320285740",
                "139976314821867173461997519495254726564",
                "18324944891492794004474494761864170483",
                "43253302134325806522721655346082194642",
                "294945284312060451990791414488655125874",
                "58046389297110633476165948072706146858",
                "120023882033127079391942282018591446883",
                "147954834218365925363324446926330098339"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "src/shrpx_http_downstream_connection.h"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-81adde6e",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "length": 751.0,
            "function_hash": "179533128835627028519707800459533723846"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/shrpx_http_downstream_connection.cc",
            "function": "HttpDownstreamConnection::push_upload_data_chunk"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-859397b4",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "line_hashes": [
                "116764242602515768712729399265769653335",
                "179500082026159152947804234868973725543",
                "93431901249262272240155081992403113026",
                "156395156267563937984122960517100172090"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "src/shrpx_downstream.cc"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-8bd81516",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "length": 3212.0,
            "function_hash": "147743895264235066285158328931586386298"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/shrpx_http_downstream_connection.cc",
            "function": "htp_hdrs_completecb"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-8f020905",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "length": 2916.0,
            "function_hash": "159901867316320735823837426735533466756"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/shrpx_http3_upstream.cc",
            "function": "Http3Upstream::http_end_request_headers"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-9023f475",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "length": 2550.0,
            "function_hash": "208817711213457684974467925045335908018"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/shrpx_https_upstream.cc",
            "function": "HttpsUpstream::on_read"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-9dc5b3e2",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "line_hashes": [
                "259091652804689409350195228969531937317",
                "42627039997252978146306249700763730170",
                "324962062577452086331100903974769259821",
                "98231691953633418037751492779916514978",
                "231293548702613064372686314273152277794",
                "208779413466664808332087380537387304780",
                "301837154404705062561412651469352589576",
                "167631245187627443252387114719876415844",
                "116167261168637495878941822504624823668",
                "12694626002761322095879733660516620013",
                "159451314786355822593274822889026877060",
                "203843230182330712948150249912918190682",
                "313791233208983225757596956493713786100",
                "318642938537933100675236514745827842128",
                "166135241699700343435642323656095553879",
                "187276397820532817757536081291328676525",
                "83006779865568842506406237585064571796",
                "292081433954375048056042966346234685854",
                "136341365476770827087204509298467229819",
                "73662978382280600888686443744785212116",
                "298349171990035802469370981188249443729"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "src/shrpx_https_upstream.cc"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-bbbd50d5",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "line_hashes": [
                "56401332632716413458890508961760525798",
                "135080802465947796672236771277204930691",
                "255828314234079636589122010815750258213",
                "151305551100107744292970793987545248084"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "src/shrpx_downstream.h"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-dd3bdabb",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "length": 883.0,
            "function_hash": "244260155831067857687409280969508269933"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/shrpx_https_upstream.cc",
            "function": "htp_msg_completecb"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-e1180dd2",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "length": 3278.0,
            "function_hash": "142265237508328558532132663862003050536"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/shrpx_http2_upstream.cc",
            "function": "Http2Upstream::on_request_headers"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-f6340205",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    },
    {
        "digest": {
            "line_hashes": [
                "62669387615303323169384784807387940316",
                "322626411945656805909290780978287709795",
                "61747566366262097341637268015805726715"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "src/shrpx_http2_upstream.cc"
        },
        "signature_version": "v1",
        "id": "CVE-2026-58055-f9e8b45d",
        "deprecated": false,
        "source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
    }
]
vanir_signatures_modified
"2026-07-18T08:15:54Z"