CVE-2026-28369

HIGH

Undertow: undertow: request smuggling via malformed http request headers

Title source: cna

Description

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.

References (2)

[Vdb Entry, X_Refsource_Redhat] https://access.redhat.com/security/cve/CVE-2026-28369

[Issue Tracking, X_Refsource_Redhat] https://bugzilla.redhat.com/show_bug.cgi?id=2443262

Scores

CVSS v3 8.7

EPSS 0.0005

EPSS Percentile 14.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-444

Status published

Products (24)

io.undertow/undertow-parent 0Maven

Red Hat/Red Hat build of Apache Camel - HawtIO 4

Red Hat/Red Hat build of Apache Camel for Spring Boot 4

Red Hat/Red Hat Data Grid 8

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9

Red Hat/Red Hat Fuse 7

Red Hat/Red Hat JBoss Enterprise Application Platform 7

Red Hat/Red Hat JBoss Enterprise Application Platform 8

... and 14 more

Published Mar 27, 2026

Tracked Since Mar 29, 2026