CVE-2026-28367

HIGH

Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator

Title source: cna
STIX 2.1

Description

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

References (4)

Core 4
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:25125
https://access.redhat.com/errata/RHSA-2026:25125
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:25126
https://access.redhat.com/errata/RHSA-2026:25126
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-28367
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2443260
https://bugzilla.redhat.com/show_bug.cgi?id=2443260

Scores

CVSS v3 8.7
EPSS 0.0071
EPSS Percentile 48.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-444
Status published
Products (32)
io.undertow/undertow-parent 0 - 2.3.23.FinalMaven
Red Hat/Red Hat build of Apache Camel - HawtIO 4
Red Hat/Red Hat build of Apache Camel for Spring Boot 4
Red Hat/Red Hat Data Grid 8
Red Hat/Red Hat Enterprise Linux 10
Red Hat/Red Hat Enterprise Linux 8
Red Hat/Red Hat Enterprise Linux 9
Red Hat/Red Hat Fuse 7
Red Hat/Red Hat JBoss Enterprise Application Platform 7
Red Hat/Red Hat JBoss Enterprise Application Platform 8
... and 22 more
Published Mar 27, 2026
Tracked Since Mar 29, 2026