CVE-2026-1760

5.3 MEDIUM
Denial of Service

📋 TL;DR

This HTTP request smuggling vulnerability in SoupServer allows remote attackers to send specially crafted requests that bypass normal request processing. Unauthenticated clients can exploit this to smuggle additional requests over persistent connections, potentially causing denial-of-service or unintended request processing. Any system running vulnerable versions of SoupServer with HTTP/1.1 support is affected.

💻 Affected Systems

Products:
  • SoupServer
Versions: All versions prior to the patched release
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects HTTP/1.1 connections with keep-alive enabled. HTTP/2 and HTTP/3 implementations are not vulnerable.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover through request smuggling leading to authentication bypass, data exfiltration, or persistent DoS conditions that require server restart.

🟠

Likely Case

Denial-of-service conditions causing service disruption, potential cache poisoning, or unintended request processing that could lead to information disclosure.

🟢

If Mitigated

Limited impact with proper network segmentation, request validation, and monitoring in place to detect anomalous request patterns.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires understanding of HTTP request smuggling techniques and ability to craft malformed Transfer-Encoding headers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific version

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2026-1760

Restart Required: Yes

Instructions:

1. Check current SoupServer version. 2. Apply vendor-provided patch or update to fixed version. 3. Restart SoupServer service. 4. Verify fix is applied.

🔧 Temporary Workarounds

Disable HTTP keep-alive

linux

Prevents persistent connections that are required for this exploit

# Add to SoupServer configuration: keep-alive-timeout=0

Use reverse proxy with request validation

all

Deploy a reverse proxy that validates and sanitizes HTTP requests before forwarding to SoupServer

🧯 If You Can't Patch

  • Implement network segmentation to isolate SoupServer from untrusted networks
  • Deploy WAF with HTTP request smuggling protection rules

🔍 How to Verify

Check if Vulnerable:

Check SoupServer version against vendor advisory. Test with crafted HTTP requests containing Transfer-Encoding: chunked and Connection: keep-alive headers.

Check Version:

soupserver --version or check package manager (rpm -q soupserver, dpkg -l soupserver)

Verify Fix Applied:

Verify SoupServer version is updated to patched version. Test with same crafted requests to ensure proper connection closure.

📡 Detection & Monitoring

Log Indicators:

  • Multiple requests from single connection with abnormal timing
  • Requests with malformed Transfer-Encoding headers
  • Connection persistence beyond configured timeout

Network Indicators:

  • HTTP requests with Transfer-Encoding: chunked and Connection: keep-alive headers
  • Abnormal request/response timing patterns
  • Requests that don't properly terminate

SIEM Query:

source="soupserver" AND (http_header="Transfer-Encoding: chunked" AND http_header="Connection: keep-alive")

📊 Metadata

CVE ID: CVE-2026-1760
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-444
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This