Critical HTTP Request Smuggling Vulnerability in Starman Web Server

Critical HTTP Request Smuggling Vulnerability in Starman Web Server

First seen 8 May 2026, 07:08 UTC Linuxsecurity 89% similarity 72.6

Article Content

Browse articles
ThreatCluster

A critical vulnerability has been identified in Starman versions prior to 0.4018, allowing HTTP Request Smuggling due to improper header precedence. The issue arises when both 'Content-Length' and 'Transfer-Encoding: chunked' headers are present, with Starman incorrectly prioritizing 'Content-Length'. This flaw, documented as CVE-2026-40560, could enable attackers to smuggle malicious HTTP requests through a front-end reverse proxy. The vulnerability affects various Linux distributions, including Fedora and Mageia, prompting urgent updates. The fix has been implemented in Starman version 0.4018, released on April 29, 2026. Users are advised to update their systems immediately to mitigate the risk of exploitation. The vulnerability was published on April 28, 2026, and poses a significant threat to web applications relying on this server.

Key Points: • Starman versions before 0.4018 are vulnerable to HTTP Request Smuggling. • The vulnerability is due to improper header precedence between 'Content-Length' and 'Transfer-Encoding'. • Users must update to Starman 0.4018 to mitigate the risk of exploitation.

ThreatCluster AI

Timeline

2026-04-28
CVE-2026-40560 published
A critical vulnerability in Starman was published, allowing HTTP Request Smuggling due to improper header handling.
Linuxsecurity
2026-04-29
Starman 0.4018 released
An update to Starman was released to fix the HTTP Request Smuggling vulnerability, prioritizing 'Transfer-Encoding' correctly.
Linuxsecurity
2026-05-07
Mageia issues advisory for Starman
Mageia released an advisory regarding the Starman vulnerability, urging users to update to version 0.4018.
Linuxsecurity
2026-05-08
Multiple distributions report Starman vulnerability
Fedora and Arch Linux have issued advisories regarding the Starman vulnerability, emphasizing the need for updates.
Linuxsecurity

Community

Browse all →