🟠 High | Source: Microsoft Security Response Center
CVE-2026-58055 is an HTTP request/response smuggling vulnerability in nghttp2’s nghttpx reverse proxy component, triggered via HTTP Upgrade requests that include a Content-Length header. This class of vulnerability can allow attackers to poison shared connection caches, bypass security controls, or hijack requests between clients and backend services. It is particularly relevant to Azure-hosted workloads that use nghttp2-based proxies or HTTP/2 gateway components.
Security Architect’s Take: Review any Azure workloads or container images using nghttpx as a reverse proxy or HTTP/2 front-end and prioritise patching to a fixed version of nghttp2. Additionally, audit WAF and API gateway configurations to ensure HTTP Upgrade requests with Content-Length headers are validated or blocked at the perimeter until patching is complete.
Original advisory: CVE-2026-58055 nghttp2 nghttpx - HTTP Request/Response Smuggling via Upgrade Request with Content-Length