CVE-2026-28367

HIGH

Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator

Title source: cna

Description

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

References (2)

[Vdb Entry, X_Refsource_Redhat] https://access.redhat.com/security/cve/CVE-2026-28367

[Issue Tracking, X_Refsource_Redhat] https://bugzilla.redhat.com/show_bug.cgi?id=2443260

Scores

CVSS v3 8.7

EPSS 0.0005

EPSS Percentile 14.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-444

Status published

Products (23)

io.undertow/undertow-parent 0Maven

Red Hat/Red Hat build of Apache Camel - HawtIO 4

Red Hat/Red Hat build of Apache Camel for Spring Boot 4

Red Hat/Red Hat Data Grid 8

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9

Red Hat/Red Hat Fuse 7

Red Hat/Red Hat JBoss Enterprise Application Platform 7

Red Hat/Red Hat JBoss Enterprise Application Platform 8

... and 13 more

Published Mar 27, 2026

Tracked Since Mar 29, 2026