What is GHSA-mwjg-3fm6-9v84?

GHSA-mwjg-3fm6-9v84 is a security advisory published by GitHub Security Advisories with Low severity. In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request...

Which CVE IDs does GHSA-mwjg-3fm6-9v84 cover?

GHSA-mwjg-3fm6-9v84 covers the following CVE IDs: CVE-2026-50052. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

GHSA-mwjg-3fm6-9v84Low

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request...

Vendor

GitHub Security Advisories

Published

June 3, 2026

Last Modified

June 3, 2026

🔗 CVE IDs covered (1)

CVE-2026-50052 →

📋 Description

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default.

🔗 References (3)

https://nvd.nist.gov/vuln/detail/CVE-2026-50052
https://vinyl-cache.org/security/VSV00019.html
https://github.com/advisories/GHSA-mwjg-3fm6-9v84