CVE-2026-2836 Vulnerability Analysis & Exploit Details

CVE-2026-2836
Vulnerability Scoring

Analysis In Progress
Analysis In Progress

Attack Complexity Details

  • Attack Complexity:
    Attack Complexity Analysis In Progress
  • Attack Vector:
    Attack Vector Under Analysis
  • Privileges Required: None
    No authentication is required for exploitation.
  • Scope:
    Impact is confined to the initially vulnerable component.
  • User Interaction: None
    No user interaction is necessary for exploitation.

CVE-2026-2836 Details

Status: Received on 05 Mar 2026, 00:15 UTC

Published on: 05 Mar 2026, 00:15 UTC

CVSS Release:

CVE-2026-2836 Vulnerability Summary

CVE-2026-2836: A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header (authority). Operators relying on the default are vulnerable to cache poisoning, and cross-origin responses may be improperly served to users. Impact This vulnerability affects users of Pingora's alpha proxy caching feature who relied on the default CacheKey implementation. An attacker could exploit this for: * Cross-tenant data leakage: In multi-tenant deployments, poison the cache so that users from one tenant receive cached responses from another tenant * Cache poisoning attacks: Serve malicious content to legitimate users by poisoning shared cache entries Cloudflare's CDN infrastructure was not affected by this vulnerability, as Cloudflare's default cache key implementation uses multiple factors to prevent cache key poisoning and never made use of the previously provided default. Mitigation: We strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher, which removes the insecure default cache key implementation. Users must now explicitly implement their own callback that includes appropriate factors such as Host header, origin server HTTP scheme, and other attributes their cache should vary on. Pingora users on previous versions may also remove any of their default CacheKey usage and implement their own that should at minimum include the host header / authority and upstream peer’s HTTP scheme.

Assessing the Risk of CVE-2026-2836

Access Complexity Graph

The exploitability of CVE-2026-2836 depends on two key factors: attack complexity (the level of effort required to execute an exploit) and privileges required (the access level an attacker needs).

Exploitability Analysis for CVE-2026-2836

No exploitability data is available for CVE-2026-2836.

Understanding AC and PR

A lower complexity and fewer privilege requirements make exploitation easier. Security teams should evaluate these aspects to determine the urgency of mitigation strategies, such as patch management and access control policies.

Attack Complexity (AC) measures the difficulty in executing an exploit. A high AC means that specific conditions must be met, making an attack more challenging, while a low AC means the vulnerability can be exploited with minimal effort.

Privileges Required (PR) determine the level of system access necessary for an attack. Vulnerabilities requiring no privileges are more accessible to attackers, whereas high privilege requirements limit exploitation to authorized users with elevated access.

CVSS Score Breakdown Chart

Above is the CVSS Sub-score Breakdown for CVE-2026-2836, illustrating how Base, Impact, and Exploitability factors combine to form the overall severity rating. A higher sub-score typically indicates a more severe or easier-to-exploit vulnerability.

CIA Impact Analysis

Below is the Impact Analysis for CVE-2026-2836, showing how Confidentiality, Integrity, and Availability might be affected if the vulnerability is exploited. Higher values usually signal greater potential damage.

  • Confidentiality: None
    CVE-2026-2836 does not compromise confidentiality.
  • Integrity: None
    CVE-2026-2836 does not impact data integrity.
  • Availability: None
    CVE-2026-2836 does not affect system availability.

CVE-2026-2836 References

External References

CWE Common Weakness Enumeration

Unknown

Protect Your Infrastructure against CVE-2026-2836: Combat Critical CVE Threats

Stay updated with real-time CVE vulnerabilities and take action to secure your systems. Enhance your cybersecurity posture with the latest threat intelligence and mitigation techniques. Develop the skills necessary to defend against CVEs and secure critical infrastructures. Join the top cybersecurity professionals safeguarding today's infrastructures.

Other 5 Recently Published CVEs Vulnerabilities

  • CVE-2026-29121 – International Data Casting (IDC) SFX2100 satellite receiver comes with the `/sbin/ip` utility installed with the setuid bit set. This configuration...
  • CVE-2026-2836 – A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the d...
  • CVE-2026-2835 – An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs ...
  • CVE-2026-2833 – An HTTP request smuggling vulnerability (CWE-444) was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora ...
  • CVE-2026-22052 – ONTAP versions 9.12.1 and higher with S3 NAS buckets are susceptible to an information disclosure vulnerability. Successful exploit could allow an ...