Skip to main content









Vulnerability RCFT-4197

  • Edit
    Collaborate with us
    Edit this page on GitHub
  • Overview

    OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the confidentiality, integrity, and availability of the end user data. OutSystems doesn't have any indication or reason to believe that this vulnerability has been exploited in the wild.

    Vulnerability risk

    Base Score: 7.6 (High)

    Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L


    To understand the phases involved in the process, how, and when we communicate, check this article. This vulnerability is currently on the public disclosure phase.

    • Embargo phase: This vulnerability didn't require an embargo phase, as OutSystems patched all Cloud environments with no impact prior to disclosure.
    • Public disclosure: Full details on this vulnerability were published on 22 December, 2020.

    Vulnerability details

    A security flaw was identified in the OutSystems Cloud architecture. It allows an unauthenticated user to poison the HTTP responses of requests performed by other legitimate users. This vulnerability is commonly known as HTTP Request Smuggling.

    Technology stacks and affected versions

    This vulnerability affects only the OutSystems Cloud environments in any version and stack, containing an Application Load Balancer.

    Protecting your OutSystems installation

    No action is required from customer as OutSystems patched all Cloud environments. Please check the following sections for the actions that were applied to your environments.

    OutSystems Cloud

    OutSystems applied a rule to the environment's Web Application Firewall blocking all requests containing a structure that match an HTTP request smuggling pattern.

    Self managed installations

    Self managed installations weren't affected by this vulnerability.


    No workaround is required.


    Question Answer
    By exploiting this vulnerability can an attacker access my data? No, even though the vulnerability compromises the confidentiality of connections, it does not directly compromise data stored by the OutSystems platform.
    Has this vulnerability been exploited in the wild? OutSystems doesn't have any evidence that this vulnerability has been exploited in the wild or that any customer was affected.
    What do I need to do? No action is required on your side.
    Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.
    • Was this article helpful?