Listen to this Post
CVE-2026-2836 is a cache poisoning vulnerability in the Pingora HTTP proxy framework caused by an insecure default cache key construction. The flaw exists because the default `CacheKey` implementation generates keys using only the URI path, completely omitting critical factors like the `Host` header and the HTTP scheme (http/https) . This allows an attacker controlling a request to a shared proxy cache to have its response stored under a key that collides with a different origin. For example, a request to `http://malicious-site.com/admin` and a request to `https://legitimate-bank.com/admin` would generate the same cache key if they share the same path. Consequently, a subsequent user requesting `https://legitimate-bank.com/admin` might receive the cached malicious response from the attacker, leading to data leakage or defacement . The vulnerability affects versions prior to 0.8.0 where users relied on this default behavior. Cloudflare’s own infrastructure was unaffected as they use a more robust, multi-factor cache key .
Platform: Cloudflare Pingora
Version: <0.8.0
Vulnerability: Insecure default cache
Severity: HIGH (CVSS:8.4)
date: March 4, 2026
Prediction: Patch already available
What Undercode Say:
Analytics
The vulnerability stems from the default cache key logic in Pingora’s alpha caching feature. The flawed code, present in versions prior to 0.8.0, created a cache key solely from the request’s URI path.
Vulnerable Code Logic (Pre-0.8.0):
// Simplified representation of the insecure default
impl CacheKey for DefaultCacheKey {
fn build_cache_key<'a>(
&self,
request: &'a RequestHeader,
_: &'a Self::Params,
) -> Result<String, CacheError> {
// Only the path is used, host is ignored!
Ok(request.uri().path().to_string())
}
}
Fixed Approach (Post-0.8.0):
Users must now explicitly implement a callback to define the cache key.
// Example of a secure, explicit cache key builder
use pingora_cache::key::CacheKeyBuilder;
fn my_cache_key_builder(
request: &pingora_http::RequestHeader,
// ... other params
) -> String {
// Combine scheme, host, and path for a unique key
let scheme = request.uri().scheme_str().unwrap_or("http");
let host = request.headers()
.get(http::header::HOST)
.and_then(|v| v.to_str().ok())
.unwrap_or("");
let path = request.uri().path();
format!("{}://{}{}", scheme, host, path)
}
How Exploit
An attacker can poison the cache by sending a malicious request to a path that exists on a target legitimate site.
1. Attacker sends request: `GET http://attacker.com/admin`
2. Pingora proxy caches response under key: `/admin`
- Legitimate user requests:
GET https://bank.com/admin`/admin`
<h2 style="color: blue;">4. Pingora builds cache key: - Proxy serves the cached malicious `attacker.com` response to the `bank.com` user.
Protection from this CVE
- Upgrade: Immediately update Pingora to version `0.8.0` or higher .
- Explicit Cache Key: If you cannot upgrade, remove all usage of the default `CacheKey` and implement a custom key that includes at minimum the `Host` header and the HTTP scheme .
- Validate Cache Keys: Audit your configurations to ensure cache keys vary appropriately for different tenants and origins.
Impact
- Cross-Tenant Data Leakage: In multi-tenant environments, one tenant’s cached responses could be served to another tenant, exposing sensitive data.
- Cache Poisoning: Attackers can inject malicious content (e.g., JavaScript, false pages) into the cache, which is then served to all users visiting a legitimate site until the cache expires .
- Bypass of Security Controls: Serves malicious content while bypassing origin server access controls, as the request never reaches the legitimate backend.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

