CVE-2026-26365

MEDIUM4.0

Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could result in a forward request with invalid message framing, depending on the Akamai processing path

Published Feb 23, 2026

Modified 1 weeks ago

Details

Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header "Connection: Transfer-Encoding" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling.

References

WEB

https://www.akamai.com/blog/security-research/cve-2026-26365-incorrect-processing-connection-transfer-encoding

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-26365

CVSS Analysis

CVSS v3.1

4.0

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

ChangedS:C

Impact

Confidentiality

NoneC:N

Integrity

LowI:L

Availability

NoneA:N

4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Weakness Type (CWE)

Other

CWE-444

Ecosystems

Timeline

PublishedFeb 23, 2026

ModifiedFeb 23, 2026