HAProxy flaws enable FastCGI response smuggling and worker process crashes
Two newly disclosed vulnerabilities affect HAProxy through version 3.4.0, including CVE-2026-55203, a critical integer overflow in FastCGI handling that can be triggered by a malicious FastCGI backend. The bug resides in the fcgi_conn structure’s drl field: when contentLength is 65535 and paddingLength is 1 or greater, the value wraps to 0, causing the parser to treat buffered data as new FastCGI record headers. That desynchronization can lead to request routing errors, response smuggling, and possible memory-safety impacts. The issue is described as remotely exploitable and was fixed in commit 5985276.
A second flaw, CVE-2026-55204, is a high-severity NULL pointer dereference in hpack_dht_insert() within src/hpack-tbl.c. The vulnerability occurs when HAProxy fails to validate the return value of hpack_dht_defrag() after memory-pool exhaustion, allowing a remote attacker to trigger HPACK dynamic table insertions under memory pressure and crash HAProxy worker processes, resulting in denial of service. The bug is fixed in commit 9a6d1fe, and affected organizations should update HAProxy to a release containing both fixes.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-55204 published for HAProxy HPACK NULL dereference
CVE-2026-55204 was published for a high-severity denial-of-service vulnerability in HAProxy's HPACK handling. The flaw can be triggered remotely under memory pressure to crash worker processes and affects HAProxy through version 3.4.0.
CVE-2026-55203 published for HAProxy FastCGI integer overflow
CVE-2026-55203 was published for a critical integer overflow vulnerability in HAProxy's FastCGI handling logic. The issue is remotely exploitable and affects HAProxy through version 3.4.0.
HAProxy fixes HPACK NULL dereference in commit 9a6d1fe
HAProxy fixed a NULL pointer dereference in hpack_dht_insert() caused by not validating the return value of hpack_dht_defrag() under memory pressure. The issue could allow a remote attacker to crash HAProxy worker processes and affects HAProxy through version 3.4.0.
HAProxy fixes FastCGI integer overflow in commit 5985276
HAProxy fixed an integer overflow in the FastCGI demux record length handling that could let a malicious FastCGI backend desynchronize parsing and cause request routing errors, response smuggling, or memory safety issues. The flaw affects HAProxy through version 3.4.0.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
HAProxy - Integer Overflow in FCGI Demux Record Length Field | Advisories | VulnCheck
vulncheck.com
Open sourceCVE-2026-55203 - HAProxy - Integer Overflow in FCGI Demux Record Length Field
cvefeed.io
Open sourceCVE-2026-55204 - HAProxy - NULL Pointer Dereference in hpack_dht_insert Function
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical ProxySQL Flaw Lets Attackers Spoof Source IP and Bypass ACLs
A critical vulnerability in ProxySQL, tracked as **CVE-2026-48772**, allows remote attackers to spoof client source IP addresses by abusing improper parsing of HAProxy PROXY protocol v1 `UNKNOWN` headers. A crafted frame with appended address fields can cause ProxySQL to trust a forged IP and use it in `mysql_query_rules.client_addr`, `stats_mysql_processlist.cli_host`, and `event_log`, enabling access-control and routing bypass as well as misleading audit trails. The issue affects ProxySQL versions **2.0.0 through 3.0.8** and is especially dangerous because `mysql-proxy_protocol_networks = '*'` is the default, exposing any reachable MySQL frontend to attempted exploitation. The flaw was reproduced in testing by sending a forged address that triggered query rules intended for a different client, demonstrating the ability to influence schema pinning, query filtering, and other IP-based controls. ProxySQL addressed the issue in **version 3.0.9**, which also fixed another critical pre-authentication memory-corruption bug, **CVE-2026-48773**. Security advisories rate CVE-2026-48772 as remotely exploitable and severe, with published scores ranging from **CVSS 9.1 to 10.0**, and urge organizations running **3.0.8 or earlier** to upgrade immediately.
Jun 20, 2026
Roxy-WI Flaws Enable Remote Code Execution and SQL Injection
Two high-severity vulnerabilities were disclosed in **Roxy-WI**, the web interface used to manage **HAProxy, Nginx, Apache, and Keepalived**. The issues affect versions prior to **8.2.6.4** and were published as **`CVE-2026-33076`** and **`CVE-2026-33078`**. The first flaw is a **path traversal** issue in the `haproxy_section_save` interface that can let an attacker write arbitrary files, including into scheduled task locations, creating a path to **remote code execution**. The second flaw is a **SQL injection** vulnerability in the same `haproxy_section_save` functionality, where the `server_ip` parameter is passed unsanitized through multiple calls and inserted into a database query using Python string formatting. Both bugs are remotely exploitable with low attack complexity and can severely affect confidentiality, integrity, and availability. The vendor addressed both issues in **Roxy-WI 8.2.6.4**, with a patch commit and security advisory published alongside the disclosures.
May 24, 2026
Remote Buffer Overflows Disclosed in UTT HiPER 1200GW and 1250GW Routers
Two high-severity vulnerabilities have been disclosed in **UTT HiPER** router products, affecting **HiPER 1200GW** devices up to version `2.5.3-170306` and **HiPER 1250GW** devices up to version `3.2.7-210907-180535`. The flaws were assigned **`CVE-2026-4487`** and **`CVE-2026-4488`** and are both described as remotely exploitable buffer overflows tied to unsafe use of the `strcpy` function, with impact spanning confidentiality, integrity, and availability. `CVE-2026-4487` affects the `/goform/websHostFilter` component on the HiPER 1200GW, while `CVE-2026-4488` affects `/goform/setSysAdm` on the HiPER 1250GW, where manipulation of the `GroupName` argument can trigger the overflow. The issues are mapped to **`CWE-119`** and **`CWE-120`**, and public exploit disclosure has been noted for both, increasing the urgency for organizations using these devices to identify exposed systems and prioritize remediation or compensating controls.
Mar 20, 2026