Duplicate Advisory: Cache poisoning via insecure-by-default cache key

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f93w-pcj3-rggc. This link is maintained to preserve external references. Original Description A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction...

GHSA-2M8C-2374-465F Duplicate Advisory: Cache poisoning via insecure-by-default cache key

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f93w-pcj3-rggc. This link is maintained to preserve external references. Original Description A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction...

CVE-2026-2836

Pingora CVE-2026-2836 affects the default cache key construction in Pingora’s alpha proxy caching feature, which uses only the URI path and omits the host header (authority) and other factors. This can enable cross-tenant data leakage and cache poisoning where cached responses may be served to us...

CVE-2026-2836 Cache poisoning via insecure-by-default cache key

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...