CVE-2026-6338

Summary

A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong’s HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic.

Affected Software

VendorProductVersion RangeStatus
KongKong Enterprise Gateway3.4.0.0 < 3.4.3.27affected
KongKong Enterprise Gateway3.10.0.0 < 3.10.0.12affected
KongKong Enterprise Gateway3.11.0.0 < 3.11.0.12affected
KongKong Enterprise Gateway3.12.0.0 < 3.12.0.7affected
KongKong Enterprise Gateway3.13.0.0 < 3.13.0.5affected
KongKong Enterprise Gateway3.14.0.0 < 3.14.0.4affected

Weaknesses

  • CWE-444: CWE-444 Inconsistent interpretation of HTTP requests ('HTTP Request/Response smuggling')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References