CVE-2026-28367
Modified Modified - Updated After Analysis
HTTP Request Smuggling in Undertow via Malformed Header Termination

Publication date: 2026-03-27

Last updated on: 2026-06-10

Assigner: Red Hat, Inc.

Description
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-06-10
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28367
EUVD
EUVD-2026-16694
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
redhat jboss_enterprise_application_platform 7.0.0
redhat undertow *
redhat single_sign-on 7.0
redhat process_automation 7.0
redhat data_grid 8.0
redhat jboss_enterprise_application_platform_expansion_pack *
redhat jboss_enterprise_application_platform 8.0.0
redhat fuse 7.0.0
redhat build_of_apache_camel_-_hawtio 4.0
redhat build_of_apache_camel_for_spring_boot 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28367 is a high-severity vulnerability in Undertow, a web server component, involving HTTP request smuggling.

The issue arises because Undertow incorrectly accepts a sequence of three carriage return characters (`\r\r\r`) as a valid HTTP header block terminator.

This non-standard terminator can be exploited by a remote attacker to perform request smuggling attacks when proxy servers forward this byte sequence.

Older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer are susceptible to this behavior, making them vulnerable when used with Undertow.

Impact Analysis

This vulnerability can potentially lead to unauthorized access or manipulation of web requests.

By exploiting the request smuggling flaw, an attacker may bypass security controls, interfere with the integrity of web traffic, or gain access to sensitive information.

Detection Guidance

This vulnerability can be detected by monitoring HTTP traffic for unusual header block terminators, specifically the sequence of three carriage return characters (`\r\r\r`). Network or system administrators can capture and analyze HTTP requests to identify if such non-standard terminators are present, which may indicate an attempt to exploit the request smuggling flaw.

Using packet capture tools like tcpdump or Wireshark, administrators can filter HTTP traffic and inspect headers for the `\r\r\r` sequence. For example, a tcpdump command to capture HTTP traffic might be:

  • tcpdump -A -s 0 'tcp port 80 or tcp port 443'

After capturing, the traffic can be searched for the `\r\r\r` pattern in HTTP headers. Additionally, custom scripts or intrusion detection systems (IDS) can be configured to alert on this specific sequence in HTTP requests.

Mitigation Strategies

Immediate mitigation steps include updating Undertow to a version where this vulnerability is fixed, as well as updating or patching any proxy servers such as Apache Traffic Server and Google Cloud Classic Application Load Balancer to versions that do not accept the `\r\r\r` header terminator.

If updates are not immediately available, consider implementing network-level protections such as filtering or blocking HTTP requests containing the `\r\r\r` sequence to prevent exploitation.

Additionally, review and harden proxy server configurations to ensure they properly validate HTTP header terminators and do not forward malformed requests.

Compliance Impact

The vulnerability in Undertow allows for HTTP request smuggling, potentially leading to unauthorized access or manipulation of web requests. Such unauthorized access or data manipulation could result in violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over access to sensitive information and the integrity of data transmissions.

Organizations using affected components (Undertow with certain proxy servers) may face increased risk of non-compliance due to the possibility of attackers exploiting this flaw to bypass security controls, access protected data, or alter requests in transit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28367. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart