Privilege Context Switching Error Affecting pingora-cache package, versions <0.8.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-PINGORACACHE-15426541
- published5 Mar 2026
- disclosed4 Mar 2026
- creditRajat Raghav
Introduced: 4 Mar 2026
NewCVE-2026-2836 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade pingora-cache to version 0.8.0 or higher.
Overview
Affected versions of this package are vulnerable to Privilege Context Switching Error through the insecure default CacheKey implementation, which used only the URI path and excluded critical factors such as the host header. An attacker can cause cross-tenant data leakage or serve malicious content to legitimate users by poisoning shared cache entries.
Note:
This is only exploitable if the default CacheKey implementation is used in multi-tenant deployments with the alpha proxy caching feature enabled.