IN December 2025, Cloudflare received reports of HTTP/1.x request smuggling vulnerabilities in the Pingora OSS framework when used as an ingress proxy, and the team has now detailed how these flaws operate and were addressed in Pingora 0.8.0. The issues are tracked as CVE-2026-2833, CVE-2026-2835 and CVE-2026-2836, and were responsibly reported by Rajat Raghav through the Bug Bounty Program, with Cloudflare noting that its CDN and customer traffic were not affected.
Although not impacting Cloudflare customers, the vulnerabilities could affect standalone Pingora deployments exposed to the Internet, potentially enabling desync attacks, bypassing proxy controls and cache poisoning. The fixes include upgrading to Pingora 0.8.0, and the firm has implemented stricter RFC compliance, including corrected handling of Upgrade, HTTP/1.0 with Transfer-Encoding, and cache key construction.
The advisory, including CVE disclosures, was published on 4 March 2026, and Cloudflare encourages Pingora users to upgrade at their earliest convenience according to The Cloudflare Blog.