On February 6, 2026, Akamai eliminated a potential HTTP request smuggling vector, due to a bug in the processing of custom hop-by-hop HTTP headers.
Background
HTTP defines a set of hop-by-hop headers intended to be processed only by the first proxy receiving them and then immediately removed from the request, never forwarded to the next server.
In addition to the hop-by-hop headers specified in the HTTP standard, clients can define their own custom hop-by-hop headers by listing these header names in the “Connection” header; for example, “Connection: My-Custom-Hop-By-Hop-Header.”
Vulnerability details
Akamai edge servers contained a bug due to improper processing of requests specifying “Transfer-Encoding” as a custom hop-by-hop header. Specifically, an attacker could craft a malicious request including the header “Connection: Transfer-Encoding”, which would result in a forward request that contained improper message framing, potentially leading to an HTTP request smuggling attack.
Whether this vulnerability was exploitable in practice depended on the internal Akamai processing path chosen for delivery of that particular request and the origin server’s behavior when receiving such a request.
Mitigation
Akamai became aware of this issue on December 30, 2025, and promptly started an investigation. On February 6, 2026, a full fix was deployed, completely eliminating the vulnerability from all Akamai services. No remediation action is required by customers.
As part of our regular incident response work and vulnerability analysis, we have disclosed this issue via CVE-2026-26365.
Special thanks
We thank “Jake Murphy of Google Cloud's Mandiant team” for reporting this issue through Akamai’s bug bounty program and coordinating with us throughout our investigation.
Tags
