Critical Tinyproxy Vulnerabilities Enable Request Smuggling

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Tinyproxy affecting all releases through version 1.11.3. These critical HTTP request smuggling flaws allow attackers to desynchronize proxy parsers and bypass strict access controls. The business risk is significant as successful exploitation enables web cache poisoning and unauthorized access to sensitive internal network resources. Attackers can hijack requests and expose internal proxy statistics, compromising the integrity of network security architectures and potentially leading to severe operational disruptions and data exposure.[emaillocker id="1283"]

• CVE-2026-54388 – This vulnerability occurs when a request contains multiple Content-Length headers, causing the proxy to use the first value while forwarding all headers to the backend server.
  • CVE-2026-54387 – This flaw involves conflicting Content-Length and Transfer-Encoding headers that desynchronize the proxy and backend parser state to enable request smuggling.
  • CVE-2026-55202 – This issue involves improper validation of the Host header, allowing attackers to inject a matching header to bypass stathost detection mechanisms.

The exploitation of these vulnerabilities poses a critical risk to network security by allowing attackers to bypass access controls and hijack user requests. Organizations could face severe operational disruptions and exposure of sensitive internal architectures if these flaws are leveraged by malicious actors. Immediate attention is required to mitigate the potential for cache poisoning and unauthorized internal access.

RECOMMENDATION:

• We recommend you to update Tinyproxy to version 364cdb67e0ea00a8e4a7037e2693e0711e816adb, ff45d3bf0e61d0f8ed97ab379d3047f04eb67521, 09312a185ae25cc486b4ff5987638a7917a48bce.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/tinyproxy-request-smuggling-cve/