CVE-2026-41417 Netty vulnerable to HTTP request smuggling and RTSP request injection via DefaultHttpRequest.setUri()

🗓️ 06 May 2026 20:52:47Reported by GitHub_MType

Netty setUri bypasses validation enabling HTTP smuggling and RTSP injection; fixed in 4.2.13.Final and 4.1.133.Final.

Reporter	Title	Published	Views	Family All 121
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in netty-codec-http-4.1.132.Final.jar	18 May 202619:25	–	ibm
IBM Security Bulletins	Security Bulletin: There is a vulnerability in netty-codec-http-4.1.132.Final.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-41417)	29 May 202609:56	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect for Manufacturing is vulnerable to CRLF Injection due to Netty ( CVE-2026-41417 )	11 Jun 202616:26	–	ibm
IBM Security Bulletins	Security Bulletin: IBM SPSS Analytic Server is affected by multiple vulnerabilities in Netty	27 May 202605:11	–	ibm
IBM Security Bulletins	Security Bulletin: DevOps Test Performance contains a vulnerability related to use of netty-codec-http	12 May 202617:31	–	ibm
ATTACKERKB	CVE-2026-41417	6 May 202620:52	–	attackerkb
Chainguard	CVE-2026-41417 vulnerabilities	7 May 202601:17	–	cgr
Circl	CVE-2026-41417	7 May 202602:25	–	circl
CNNVD	Netty 注入漏洞	6 May 202600:00	–	cnnvd
CVE	CVE-2026-41417	6 May 202620:52	–	cve

[
  {
    "vendor": "netty",
    "product": "netty",
    "versions": [
      {
        "version": ">= 4.2.0.Alpha1, <= 4.2.12.Final",
        "status": "affected"
      },
      {
        "version": "<= 4.1.132.Final",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv

06 May 2026 20:52Current

CVSS 3.15.3

EPSS0.00307