Home
MEDIUM: 4.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/R:A/RE:MDefault status
unaffected
3.4.0.0 (kong enteprise gateway 3.4) before 3.4.3.27
affected
3.10.0.0 (kong enteprise gateway 3.10) before 3.10.0.12
affected
3.11.0.0 (kong enteprise gateway 3.11) before 3.11.0.12
affected
3.12.0.0 (kong enteprise gateway 3.12) before 3.12.0.7
affected
3.13.0.0 (kong enteprise gateway 3.13) before 3.13.0.5
affected
3.14.0.0 (kong enteprise gateway 3.14) before 3.14.0.4
affected
Description
A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.
Problem types
CWE-444 Inconsistent interpretation of HTTP requests ('HTTP Request/Response smuggling')
Product status
3.4.0.0 (kong enteprise gateway 3.4) before 3.4.3.27
3.10.0.0 (kong enteprise gateway 3.10) before 3.10.0.12
3.11.0.0 (kong enteprise gateway 3.11) before 3.11.0.12
3.12.0.0 (kong enteprise gateway 3.12) before 3.12.0.7
3.13.0.0 (kong enteprise gateway 3.13) before 3.13.0.5
3.14.0.0 (kong enteprise gateway 3.14) before 3.14.0.4
References
support.konghq.com/support/s/article/CVE-2026-6338