Cloudflare patched multiple critical security vulnerabilities within Pingora, its Rust-based proxy framework. These flaws allowed attackers to execute HTTP request smuggling and cache poisoning attacks.
The vulnerabilities created risks for significant data exposure and cross-tenant information leaks. Exploitation could also enable the large-scale delivery of malicious content to users.
One specific fix addresses CVE-2026-2835, a vulnerability involving the handling of HTTP/1.0 bodies. This flaw could desynchronize request framing between the Pingora framework and backend servers.
Cloudflare’s proactive update secures infrastructure used by both internal systems and external adopters.