The vulnerabilities, designated as CVE-2026-2833, CVE-2026-2835, and CVE-2026-2836, expose organizations using self-hosted Pingora deployments to severe security risks including bypass of security controls, credential theft, and web cache poisoning, according to a Cloudflare blog post.
The most critical flaw involves Pingora’s handling of HTTP upgrade requests. When receiving requests with an Upgrade header, the framework would prematurely switch to passthrough mode before the backend server accepted the protocol change. This allowed attackers to smuggle malicious requests that bypassed Pingora’s security controls entirely.
A second vulnerability stemmed from incorrect parsing of HTTP/1.0 requests containing Transfer-Encoding headers, which are forbidden by RFC standards. Instead of rejecting these requests, Pingora would misinterpret the request length, creating a discrepancy with compliant backend servers that could be exploited for request smuggling attacks.
The third issue affected Pingora’s alpha-stage caching feature, where cache keys were generated using only the URI path without considering the Host header or HTTP scheme. This meant an attacker could poison the cache for one domain and have that malicious content served to users visiting a completely different site.
Cloudflare Infrastructure Protected
Cloudflare confirmed its production CDN services were never vulnerable due to its defense-in-depth architecture. The company explained that Pingora is not used as the primary internet-facing proxy in its CDN, and upstream proxies normalize traffic before it reaches internal Pingora instances. Additionally, Cloudflare has always used robust, multi-factor cache keys rather than the insecure default implementation.
The vulnerabilities have been fully addressed in Pingora version 0.8.0. The update corrects the Upgrade logic to switch modes only after receiving proper confirmation from upstream servers, hardens the HTTP parser to reject non-compliant requests, and removes the insecure default cache key implementation entirely.
Organizations running self-hosted Pingora deployments should upgrade immediately to version 0.8.0 or later. When implementing proxy caching, administrators must ensure cache keys comprehensively identify resources based on all relevant parameters including scheme, host, path, and varying headers.
