
PEACH
Un cadre d’isolation des locataires
CVE-2026-12606 is an HTTP request smuggling vulnerability in Eclipse Grizzly caused by improper parsing of malformed trailer header lines. It affects Eclipse Grizzly versions 4.0.0 through 4.0.2 and 5.0.0 through 5.0.1 (i.e., before 5.0.2). The vulnerability was published on July 14, 2026, by the Eclipse Foundation. It carries a CVSS v3.1 base score of 5.3 (Medium) and a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory, Eclipse GitLab).
The root cause is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests / HTTP Request Smuggling). Eclipse Grizzly fails to correctly parse the trailer section when HTTP trailer headers are malformed, creating an ambiguity in how the request boundaries are interpreted between Grizzly and any downstream systems or proxies. An unauthenticated, remote attacker can exploit this by sending specially crafted HTTP requests with malformed trailer headers, causing the server and downstream components to disagree on where one request ends and another begins. No authentication or user interaction is required, though the CVSS v4.0 metric notes that attack requirements (specific deployment conditions) must be present (GitHub Advisory, Eclipse GitLab).
Successful exploitation allows an unauthenticated attacker to inject or smuggle malicious HTTP requests into the processing pipeline, potentially bypassing security controls such as web application firewalls or access control mechanisms. The primary impact is on integrity (unauthorized modification or injection of request data), with no direct confidentiality or availability impact assessed. In multi-tier architectures where Grizzly acts as a front-end or intermediary, smuggled requests could be interpreted as legitimate requests by backend systems, enabling session hijacking, cache poisoning, or unauthorized access to restricted resources (GitHub Advisory, Eclipse GitLab).
Content-Length and Transfer-Encoding headers conflict or where trailer sections contain syntactically invalid lines.The Eclipse Foundation has released Eclipse Grizzly 5.0.2 as the patched version, which correctly handles malformed trailer header lines. Users running the 4.x branch (4.0.0–4.0.2) should upgrade to 5.0.2 or later, as no patch for the 4.x branch is indicated. As a network-level workaround, deploying strict HTTP header validation and request filtering at the perimeter (e.g., via a WAF configured to reject malformed chunked-encoding or trailer headers) can reduce exposure. Upgrading to 5.0.2 or later is the recommended and definitive remediation (GitHub Advisory, Eclipse GitLab).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."