Varnish HTTP Cache Vulnerability Allows Security Bypass
Summary
CERT-Bund has issued a security advisory (WID-SEC-2026-0749) regarding a vulnerability in Varnish HTTP Cache versions prior to 8.0.1, 9.0, 6.0.17, and 6.0.16r12. The vulnerability allows remote attackers to bypass security measures, with a CVSS base score of 6.5.
What changed
CERT-Bund has released security advisory WID-SEC-2026-0749 detailing a critical vulnerability in multiple versions of Varnish HTTP Cache. The flaw, rated with a CVSS base score of 6.5, enables remote, anonymous attackers to bypass implemented security measures. Affected versions include Varnish HTTP Cache <8.0.1, <9.0 (Vinyl Cache), <6.0.17, and <6.0.16r12, running on Linux and UNIX operating systems.
Organizations utilizing the affected Varnish HTTP Cache versions must take immediate action to mitigate this risk. While specific mitigation steps are not detailed in this advisory, users are strongly advised to update to patched versions or implement alternative security controls. Failure to address this vulnerability could lead to unauthorized access or compromise of systems protected by Varnish, potentially impacting data integrity and availability.
What to do next
- Review Varnish HTTP Cache versions for potential vulnerability.
- Update Varnish HTTP Cache to a non-vulnerable version (e.g., 8.0.1, 9.0, 6.0.17, 6.0.16r12 or later).
- Implement alternative security measures if immediate patching is not feasible.
Source document (simplified)
[WID-SEC-2026-0749] Varnish HTTP Cache: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen CVSS Base Score 6.5 (mittel) CVSS Temporal Score 5.7 (mittel) Remoteangriff ja Datum 16.03.2026 Stand 17.03.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Linux
- UNIX
Produktbeschreibung
Varnish ist ein Reverse-Proxy, der als HTTP-Beschleuniger verwendet wird.
Produkte
16.03.2026
- Open Source Varnish HTTP Cache <8.0.1
Open Source Varnish HTTP Cache Vinyl Cache <9.0
Open Source Varnish HTTP Cache <6.0.17
Open Source Varnish HTTP Cache <6.0.16r12
Angriff
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Varnish HTTP Cache ausnutzen, um Sicherheitsvorkehrungen zu umgehen. CVE Informationen Versionshistorie Feedback zum Advisory geben
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Data Privacy & Cybersecurity alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.