CVE-2026-50052: HTTP/2 request smuggling in Vinyl Cache and Varnish Cache (VSV00019)
CVE-2026-50052 is verified against varnish/varnish · github vulnerability class: Request Smuggling This low reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00231.
pruva-verify REPRO-2026-00231 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00231/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (HTTP request smuggling), which can lead to cache poisoning, authentication bypass, or possibly information disclosure/manipulation. The attack vector only exists when HTTP/2 support is enabled by setting the feature parameter to contain +http2; HTTP/2 is disabled by default. Affected versions include Vinyl Cache 9.0.0, Varnish Cache by Varnish Software up to 9.0.2, Varnish Cache releases 7.6.0 through 8.0.1, and Varnish Cache 6.0 LTS 6.0.14 through 6.0.17. Fixed versions are Vinyl Cache 9.0.1, Varnish Cache by Varnish Software 9.0.3, Varnish Cache 8.0.2, and Varnish Cache 6.0 LTS 6.0.18. Reproduction target: clone the Vinyl/Varnish Cache source, build a vulnerable version, enable HTTP/2, and demonstrate a backend request desync via malformed HTTP/2 requests.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.