{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "9.0.0"
              },
              {
                "last_affected": "9.0.0"
              },
              {
                "last_affected": "9.0.2"
              },
              {
                "introduced": "7.6.0"
              },
              {
                "last_affected": "8.0.1"
              },
              {
                "introduced": "6.0.14"
              },
              {
                "last_affected": "6.0.17"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "ce1b315b0c35477c666e4c8d8e1c9174df87eb61"
            },
            {
              "last_affected": "ce1b315b0c35477c666e4c8d8e1c9174df87eb61"
            },
            {
              "last_affected": "dc27a2dce662015cf79bbda5ff193b6bb74ba2d1"
            },
            {
              "introduced": "0"
            },
            {
              "last_affected": "4883a9619d9fcdc4efcd7e4cd7e355ee38521a84"
            },
            {
              "last_affected": "04286a233e14a5674f86118da1c52ab63152006c"
            }
          ],
          "repo": "https://github.com/varnish/varnish",
          "type": "GIT"
        }
      ],
      "versions": [
        "9.0.0"
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "mitre",
    "cwe_ids": [
      "CWE-444"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50052.json"
  },
  "details": "In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync\nattack (request smuggling), which in turn can be used for cache poisoning,\nauthentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the\nfeature parameter to contain +http2. HTTP/2 support is disabled by\ndefault.",
  "id": "CVE-2026-50052",
  "modified": "2026-07-08T05:39:01.389103820Z",
  "published": "2026-06-03T03:56:01.974Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/07/01/9"
    },
    {
      "type": "WEB",
      "url": "https://code.vinyl-cache.org/vinyl-cache/vinyl-cache"
    },
    {
      "type": "WEB",
      "url": "https://vinyl-cache.org/security/VSV00019.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50052.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50052"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/varnish/varnish"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:N/R:A/V:D/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ]
}