CVE-2026-28368

HIGH

Undertow: undertow: request smuggling via inconsistent header parsing

Title source: cna

Description

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.

References (2)

[Vdb Entry, X_Refsource_Redhat] https://access.redhat.com/security/cve/CVE-2026-28368

[Issue Tracking, X_Refsource_Redhat] https://bugzilla.redhat.com/show_bug.cgi?id=2443261

Scores

CVSS v3 8.7

EPSS 0.0003

EPSS Percentile 9.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-444

Status published

Products (24)

io.undertow/undertow-parent 0Maven

Red Hat/Red Hat build of Apache Camel - HawtIO 4

Red Hat/Red Hat build of Apache Camel for Spring Boot 4

Red Hat/Red Hat Data Grid 8

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9

Red Hat/Red Hat Fuse 7

Red Hat/Red Hat JBoss Enterprise Application Platform 7

Red Hat/Red Hat JBoss Enterprise Application Platform 8

... and 14 more

Published Mar 27, 2026

Tracked Since Mar 29, 2026