CVE-2026-28367
HTTP Request Smuggling in Undertow via Malformed Header Termination
Publication date: 2026-03-27
Last updated on: 2026-04-10
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | jboss_enterprise_application_platform | 7.0.0 |
| redhat | undertow | * |
| redhat | single_sign-on | 7.0 |
| redhat | process_automation | 7.0 |
| redhat | data_grid | 8.0 |
| redhat | jboss_enterprise_application_platform_expansion_pack | * |
| redhat | jboss_enterprise_application_platform | 8.0.0 |
| redhat | fuse | 7.0.0 |
| redhat | build_of_apache_camel_-_hawtio | 4.0 |
| redhat | build_of_apache_camel_for_spring_boot | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28367 is a high-severity vulnerability in Undertow, a web server component, involving HTTP request smuggling.
The issue arises because Undertow incorrectly accepts a sequence of three carriage return characters (`\r\r\r`) as a valid HTTP header block terminator.
This non-standard terminator can be exploited by a remote attacker to perform request smuggling attacks when proxy servers forward this byte sequence.
Older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer are susceptible to this behavior, making them vulnerable when used with Undertow.
How can this vulnerability impact me? :
This vulnerability can potentially lead to unauthorized access or manipulation of web requests.
By exploiting the request smuggling flaw, an attacker may bypass security controls, interfere with the integrity of web traffic, or gain access to sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP traffic for unusual header block terminators, specifically the sequence of three carriage return characters (`\r\r\r`). Network or system administrators can capture and analyze HTTP requests to identify if such non-standard terminators are present, which may indicate an attempt to exploit the request smuggling flaw.
Using packet capture tools like tcpdump or Wireshark, administrators can filter HTTP traffic and inspect headers for the `\r\r\r` sequence. For example, a tcpdump command to capture HTTP traffic might be:
- tcpdump -A -s 0 'tcp port 80 or tcp port 443'
After capturing, the traffic can be searched for the `\r\r\r` pattern in HTTP headers. Additionally, custom scripts or intrusion detection systems (IDS) can be configured to alert on this specific sequence in HTTP requests.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Undertow to a version where this vulnerability is fixed, as well as updating or patching any proxy servers such as Apache Traffic Server and Google Cloud Classic Application Load Balancer to versions that do not accept the `\r\r\r` header terminator.
If updates are not immediately available, consider implementing network-level protections such as filtering or blocking HTTP requests containing the `\r\r\r` sequence to prevent exploitation.
Additionally, review and harden proxy server configurations to ensure they properly validate HTTP header terminators and do not forward malformed requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Undertow allows for HTTP request smuggling, potentially leading to unauthorized access or manipulation of web requests. Such unauthorized access or data manipulation could result in violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over access to sensitive information and the integrity of data transmissions.
Organizations using affected components (Undertow with certain proxy servers) may face increased risk of non-compliance due to the possibility of attackers exploiting this flaw to bypass security controls, access protected data, or alter requests in transit.