swift-nio-http2 1.44.1 Secures H2-H1 Codec Pseudo-Header Checks
CVE-2026-28898 Published on June 25, 2026
swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1.
Vulnerability Analysis
CVE-2026-28898 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an Output Sanitization Vulnerability?
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CVE-2026-28898 has been classified to as an Output Sanitization vulnerability or weakness.
Products Associated with CVE-2026-28898
Want to know whenever a new CVE is published for Apple Swift? stack.watch will email you.
Affected Versions
Apple swift-nio-http2:- Before 1.44.1 is affected.