CVE-2026-6733 | undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse

Impact: Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests. This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse. Patches: Upgrade to undici v6.26.0, v7.28.0 or v8.5.0. Workarounds: Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.

Published: 2026-06-17 Last update: 2026-06-27 Assigner: ce714d77-add3-4f53-aff5-83d477b104bb Source: ce714d77-add3-4f53-aff5-83d477b104bb
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2026-6733 is rated Low Risk (17.4/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.18%). Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-6733

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-18 0.18%

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-6733

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
3.7 3.1 LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.
 2.2 1.4 ce714d77-add3-4f53-aff5-83d477b104bb

Weakness enumeration for CVE-2026-6733

GitHub Security Advisory for CVE-2026-6733

GHSA-35p6-xmwp-9g52 · Severity: low · Ecosystem: npm — undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse

OS Trackers for CVE-2026-6733

vendor priority summary link
debian not yet assigned CVE-2026-6733 not yet assigned priority: Debian including 1 source packages (node-undici), 4 status rows across 4 suites (bookworm, forky, sid, trixie): open 2, resolved 2. https://security-tracker.debian.org/tracker/CVE-2026-6733
redhat low https://access.redhat.com/security/cve/CVE-2026-6733
suse low https://www.suse.com/security/cve/CVE-2026-6733/
ubuntu medium CVE-2026-6733 medium priority: Ubuntu including 1 source packages (node-undici), 5 status rows across 5 suites (jammy, noble, questing, resolute, upstream): needs-triage 4, DNE 1. https://ubuntu.com/security/CVE-2026-6733

Affected software / configurations for CVE-2026-6733

Vendor Product Version Raw CPE
nodejs undici < 6.27.0 cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
nodejs undici >= 7.0.0, < 7.28.0 cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
nodejs undici >= 8.0.0, < 8.5.0 cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*

References for CVE-2026-6733

cvelogic Threat Intelligence