{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26365", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-23T20:58:59.805Z", "dateReserved": "2026-02-13T00:00:00.000Z", "datePublished": "2026-02-23T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Ghost", "vendor": "Akamai", "versions": [{"lessThan": "2026-02-06", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header \"Connection: Transfer-Encoding\" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-23T08:22:05.446Z"}, "references": [{"url": "https://www.akamai.com/blog/security-research/cve-2026-26365-incorrect-processing-connection-transfer-encoding"}], "tags": ["exclusively-hosted-service"], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T20:58:47.763157Z", "id": "CVE-2026-26365", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T20:58:59.805Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26365", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T20:58:47.763157Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T20:58:52.828Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"}}], "affected": [{"vendor": "Akamai", "product": "Ghost", "versions": [{"status": "affected", "version": "0", "lessThan": "2026-02-06", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.akamai.com/blog/security-research/cve-2026-26365-incorrect-processing-connection-transfer-encoding"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header \"Connection: Transfer-Encoding\" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-23T08:22:05.446Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26365", "state": "PUBLISHED", "dateUpdated": "2026-02-23T20:58:59.805Z", "dateReserved": "2026-02-13T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-23T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header \"Connection: Transfer-Encoding\" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling."}, {"lang": "es", "value": "Akamai Ghost en los servidores perimetrales de Akamai CDN antes del 2026-02-06 maneja incorrectamente el procesamiento de encabezados HTTP hop-by-hop personalizados, donde una solicitud entrante que contiene el encabezado 'Connection: Transfer-Encoding' podr\u00eda resultar en una solicitud reenviada con un encuadre de mensaje inv\u00e1lido, dependiendo de la ruta de procesamiento de Akamai. Esto podr\u00eda resultar en que el servidor de origen analice el cuerpo de la solicitud incorrectamente, lo que lleva al contrabando de solicitudes HTTP."}], "id": "CVE-2026-26365", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-02-23T09:17:01.210", "references": [{"source": "cve@mitre.org", "url": "https://www.akamai.com/blog/security-research/cve-2026-26365-incorrect-processing-connection-transfer-encoding"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026-02-06)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Ghost", "source": "cna", "vendor": "Akamai"}, "product": "ghost", "vendor": "akamai"}], "analysis": {"en": {"generated_at": "2026-04-17T16:27:32.395742+00:00", "value": {"mitigation_remediation": ["Update Akamai Ghost edge servers to the February 6, 2026 release or later, which addresses the hop\u2011by\u2011hop header handling flaw.", "Apply any configuration changes recommended by Akamai, such as disabling propagation of custom hop\u2011by\u2011hop headers or normalizing the \"Connection\" and \"Transfer-Encoding\" headers before forwarding.", "Configure network perimeter devices or a WAF to strip or reject requests containing the \"Connection: Transfer-Encoding\" header in order to prevent unintended framing from reaching the origin.", "Continuously monitor access and origin logs for signs of malformed request framing or duplicate headers that might indicate an ongoing smuggling attempt."], "summary": {"action": "Assess Impact", "impact": "HTTP request smuggling"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Akamai Ghost CDN edge servers deployed before the February 6, 2026 release. No specific version numbers are provided, but any instances running the pre\u2011February 2026 firmware are susceptible. The issue is tied to the handling of hop\u2011by\u2011hop headers at the edge tier, which then passes malformed framing to back\u2011end origins.", "description_and_impact": "Akamai Ghost on CDN edge servers mishandles custom hop\u2011by\u2011hop HTTP headers. When an incoming request contains the header \"Connection: Transfer-Encoding\", the server may forward a request with invalid message framing, which can allow an attacker to smuggle requests into the origin server. The flaw is a weakness in HTTP message handling, listed as CWE\u2011444, and can lead to misinterpretation of request bodies, potentially enabling data tampering or injection of hidden requests.", "risk_and_exploitability": "The CVSS base score of 4.0 indicates moderate impact. EPSS is below 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a remote attacker crafting HTTP traffic to a publicly reachable edge server with the malformed header. Successful exploitation would result in the origin server parsing the request body incorrectly, enabling a request smuggling attack. No confirmed exploits are reported, but the presence of the flaw warrants monitoring and timely remediation."}}}}, "created": "2026-02-23T14:28:35.759200+00:00", "title": "Incorrect Processing of Custom Hop\u2011by\u2011Hop HTTP Headers in Akamai Ghost Leading to Request Smuggling", "updated": "2026-04-17T16:30:05.837918+00:00", "vendors": ["akamai", "akamai$PRODUCT$ghost"]}