nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.
{
"cna_assigner": "VulnCheck",
"cwe_ids": [
"CWE-444"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58055.json"
}{
"cpe": "cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "1.69.0"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-58055.json"
[
{
"digest": {
"line_hashes": [
"62669387615303323169384784807387940316",
"115080790988490787413685996575811120278",
"179263697461216981645918178554272685340"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "src/shrpx_http3_upstream.cc"
},
"signature_version": "v1",
"id": "CVE-2026-58055-13b6665d",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"length": 267.0,
"function_hash": "43673781966955899045931956832730952434"
},
"signature_type": "Function",
"target": {
"file": "src/shrpx_downstream.cc",
"function": "Downstream::can_detach_downstream_connection"
},
"signature_version": "v1",
"id": "CVE-2026-58055-1abf21d3",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"length": 436.0,
"function_hash": "15312478888151856152257817533859698343"
},
"signature_type": "Function",
"target": {
"file": "src/shrpx_https_upstream.cc",
"function": "htp_bodycb"
},
"signature_version": "v1",
"id": "CVE-2026-58055-1c0a1bd9",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"line_hashes": [
"335415222669132706788310483148624228597",
"173763525734563539023556720790237966113",
"26336645514048091626828772325135812659",
"332658327525775409262924700958581618886",
"331051049028590052329269734365712057987",
"94891363389048758954505100948799485833",
"53071911720402741194867203320445457700",
"226412005289906365761738015286806834079",
"14296952311681176136513808442889592665",
"314794783837910270577995974583571519873",
"12182432510740172648978883166040513298",
"191974907531670169046728002021299746103",
"249035190786871038042785344071240561092",
"306163501767210135320847762562534127983",
"271707945131709030372938911867023783914",
"288958434755733859625253325083900147339",
"173284736462089331223860413067302209432",
"180711086737183085639257266863103013135",
"204176032076996234692096308908285471500",
"79797308695532850868261404554937465712",
"88309084218894327149049472940941497331",
"206683465124409223728164645947301925274",
"159214503691684740056092173363449331309",
"299251813917977328262637592426654826174",
"211064287534445994613285903648861993234",
"283465959567744566335347690900088579588",
"317616304262636988257716799873491496014",
"215920102260166639160847355760069429228",
"71900137815719029863806708120212409171",
"197122407888850147712015180024591813655",
"137175851019764285630843860789751063548",
"16534050313925651183077734541565503728",
"138144508982577466908938714165649872569",
"67323108729025449429528251356409438102",
"144789569819539231731356888980040068227",
"167924723323927702672588749033808093411",
"283326674015974112618681099511545608323"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "src/shrpx_http_downstream_connection.cc"
},
"signature_version": "v1",
"id": "CVE-2026-58055-5d16616a",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"length": 766.0,
"function_hash": "320163202767182877982379961795932377931"
},
"signature_type": "Function",
"target": {
"file": "src/shrpx_http_downstream_connection.cc",
"function": "HttpDownstreamConnection::write_first"
},
"signature_version": "v1",
"id": "CVE-2026-58055-6cf66e4f",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"length": 5274.0,
"function_hash": "157954019425193704699618567891394583451"
},
"signature_type": "Function",
"target": {
"file": "src/shrpx_https_upstream.cc",
"function": "htp_hdrs_completecb"
},
"signature_version": "v1",
"id": "CVE-2026-58055-6fdc2a3a",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"length": 339.0,
"function_hash": "28735875628849634731636185178761537981"
},
"signature_type": "Function",
"target": {
"file": "src/shrpx_http_downstream_connection.cc",
"function": "HttpDownstreamConnection::end_upload_data"
},
"signature_version": "v1",
"id": "CVE-2026-58055-7e93f83e",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"line_hashes": [
"295538217625771244266315532608320285740",
"139976314821867173461997519495254726564",
"18324944891492794004474494761864170483",
"43253302134325806522721655346082194642",
"294945284312060451990791414488655125874",
"58046389297110633476165948072706146858",
"120023882033127079391942282018591446883",
"147954834218365925363324446926330098339"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "src/shrpx_http_downstream_connection.h"
},
"signature_version": "v1",
"id": "CVE-2026-58055-81adde6e",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"length": 751.0,
"function_hash": "179533128835627028519707800459533723846"
},
"signature_type": "Function",
"target": {
"file": "src/shrpx_http_downstream_connection.cc",
"function": "HttpDownstreamConnection::push_upload_data_chunk"
},
"signature_version": "v1",
"id": "CVE-2026-58055-859397b4",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"line_hashes": [
"116764242602515768712729399265769653335",
"179500082026159152947804234868973725543",
"93431901249262272240155081992403113026",
"156395156267563937984122960517100172090"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "src/shrpx_downstream.cc"
},
"signature_version": "v1",
"id": "CVE-2026-58055-8bd81516",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"length": 3212.0,
"function_hash": "147743895264235066285158328931586386298"
},
"signature_type": "Function",
"target": {
"file": "src/shrpx_http_downstream_connection.cc",
"function": "htp_hdrs_completecb"
},
"signature_version": "v1",
"id": "CVE-2026-58055-8f020905",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"length": 2916.0,
"function_hash": "159901867316320735823837426735533466756"
},
"signature_type": "Function",
"target": {
"file": "src/shrpx_http3_upstream.cc",
"function": "Http3Upstream::http_end_request_headers"
},
"signature_version": "v1",
"id": "CVE-2026-58055-9023f475",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"length": 2550.0,
"function_hash": "208817711213457684974467925045335908018"
},
"signature_type": "Function",
"target": {
"file": "src/shrpx_https_upstream.cc",
"function": "HttpsUpstream::on_read"
},
"signature_version": "v1",
"id": "CVE-2026-58055-9dc5b3e2",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"line_hashes": [
"259091652804689409350195228969531937317",
"42627039997252978146306249700763730170",
"324962062577452086331100903974769259821",
"98231691953633418037751492779916514978",
"231293548702613064372686314273152277794",
"208779413466664808332087380537387304780",
"301837154404705062561412651469352589576",
"167631245187627443252387114719876415844",
"116167261168637495878941822504624823668",
"12694626002761322095879733660516620013",
"159451314786355822593274822889026877060",
"203843230182330712948150249912918190682",
"313791233208983225757596956493713786100",
"318642938537933100675236514745827842128",
"166135241699700343435642323656095553879",
"187276397820532817757536081291328676525",
"83006779865568842506406237585064571796",
"292081433954375048056042966346234685854",
"136341365476770827087204509298467229819",
"73662978382280600888686443744785212116",
"298349171990035802469370981188249443729"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "src/shrpx_https_upstream.cc"
},
"signature_version": "v1",
"id": "CVE-2026-58055-bbbd50d5",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"line_hashes": [
"56401332632716413458890508961760525798",
"135080802465947796672236771277204930691",
"255828314234079636589122010815750258213",
"151305551100107744292970793987545248084"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "src/shrpx_downstream.h"
},
"signature_version": "v1",
"id": "CVE-2026-58055-dd3bdabb",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"length": 883.0,
"function_hash": "244260155831067857687409280969508269933"
},
"signature_type": "Function",
"target": {
"file": "src/shrpx_https_upstream.cc",
"function": "htp_msg_completecb"
},
"signature_version": "v1",
"id": "CVE-2026-58055-e1180dd2",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"length": 3278.0,
"function_hash": "142265237508328558532132663862003050536"
},
"signature_type": "Function",
"target": {
"file": "src/shrpx_http2_upstream.cc",
"function": "Http2Upstream::on_request_headers"
},
"signature_version": "v1",
"id": "CVE-2026-58055-f6340205",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
},
{
"digest": {
"line_hashes": [
"62669387615303323169384784807387940316",
"322626411945656805909290780978287709795",
"61747566366262097341637268015805726715"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "src/shrpx_http2_upstream.cc"
},
"signature_version": "v1",
"id": "CVE-2026-58055-f9e8b45d",
"deprecated": false,
"source": "https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e"
}
]
"2026-07-18T08:15:54Z"