CL.CL HTTP request smuggling via duplicate Content-Length in bandit

Description

A vulnerability labeled as critical has been found in mtrudel bandit up to 1.10.x. Affected by this issue is the function Elixir.bandit.Headers:get_content_length in the library lib/bandit/headers.ex of the component HTTP Request Handler. Executing a manipulation can lead to http request smuggling. This vulnerability is registered as CVE-2026-39805. It is possible to launch the attack remotely. No exploit is available. The affected component should be upgraded.

Affected Products

Vendor	Product	Versions
mtrudel	bandit	0, 0

References

https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7(vendor-advisory, related)
https://cna.erlef.org/cves/CVE-2026-39805.html(related)
https://osv.dev/vulnerability/EEF-CVE-2026-39805(related)
https://github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1(patch)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-39805 | mtrudel bandit up to 1.10.x HTTP Request lib/bandit/headers.ex Elixir.bandit.Headers:get_content_length request smuggling (GHSA-c67r-gc9j-2qf7 / EUVD-2026-26712)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.11.0

CWECWE-444

PublishedMay 1, 2026

Last enriched3h agov2

Trending Score67

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (4)

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated severity to CRITICAL, changed exploit availability to false, and noted that the vulnerability is actively exploited.

descriptionseverityactivelyExploited

via VulDB

v112h ago

Initial creation