HTTP request smuggling in Kong Enteprise Gateway_CVE-2026-6338

4.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/R:A/RE:M

Description

A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.

Basic Information

ID CVE-2026-6338

Source Kong

Published Jun 11, 2026 at 13:47

Affected Product

Vendor Kong

Product Kong Enterprise Gateway

Version 3.4.0.0

Affected Versions Kong Kong Enterprise Gateway 3.4.0.0
Kong Kong Enterprise Gateway 3.10.0.0
Kong Kong Enterprise Gateway 3.11.0.0
Kong Kong Enterprise Gateway 3.12.0.0
Kong Kong Enterprise Gateway 3.13.0.0
Kong Kong Enterprise Gateway 3.14.0.0

CWE Classification

CWE-444

References

support.konghq.com /support/s/article/CVE-2026-6338

{
    "lastseen": "",
    "description": "A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong\u2019s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.",
    "published": "2026-06-11T13:47:01.309Z",
    "modified": "2026-06-11T13:47:01.309Z",
    "type": "cve",
    "title": "HTTP request smuggling in Kong Enteprise Gateway",
    "source": "Kong",
    "references": "https://support.konghq.com/support/s/article/CVE-2026-6338",
    "id": "CVE-2026-6338",
    "bulletinFamily": "",
    "cwe": [
        "CWE-444"
    ],
    "cvelist": null,
    "sourceData": "Kong Kong Enterprise Gateway 3.4.0.0\nKong Kong Enterprise Gateway 3.10.0.0\nKong Kong Enterprise Gateway 3.11.0.0\nKong Kong Enterprise Gateway 3.12.0.0\nKong Kong Enterprise Gateway 3.13.0.0\nKong Kong Enterprise Gateway 3.14.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/R:A/RE:M",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Kong Enterprise Gateway",
    "version": "3.4.0.0",
    "vendor": "Kong",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}