Critical HTTP Request Smuggling Vulnerabilities in Fedora Tinyproxy

On June 18, 2026, Fedora released updates for tinyproxy addressing two critical HTTP Request Smuggling vulnerabilities, CVE-2026-54387 and CVE-2026-54388, both published on June 17, 2026. These vulnerabilities affect Fedora 43 and 44, allowing attackers to exploit CL/TE desynchronization and duplicate Content-Length headers. The flaws could lead to significant security risks, including unauthorized access and data manipulation. Users are urged to apply the updates immediately to mitigate potential exploitation. The updates can be installed using the 'dnf' package manager. The vulnerabilities were backported from upstream fixes by Carl George. The scope of impact includes all Fedora users running affected versions of tinyproxy. Current status indicates that patches are available and should be applied promptly.

Key Points: • Two critical CVEs (CVE-2026-54387, CVE-2026-54388) were disclosed affecting tinyproxy. • Vulnerabilities allow HTTP Request Smuggling via CL/TE desynchronization and duplicate headers. • Fedora users are advised to update to mitigate risks associated with these vulnerabilities.