CVE-2026-28368
HTTP Request Smuggling Vulnerability in Undertow Allows Unauthorized Access
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | jboss_enterprise_application_platform | 7.0.0 |
| redhat | undertow | * |
| redhat | single_sign-on | 7.0 |
| redhat | process_automation | 7.0 |
| redhat | data_grid | 8.0 |
| redhat | jboss_enterprise_application_platform_expansion_pack | * |
| redhat | enterprise_linux | 9.0 |
| redhat | jboss_enterprise_application_platform | 8.0.0 |
| redhat | fuse | 7.0.0 |
| redhat | build_of_apache_camel_-_hawtio | 4.0 |
| redhat | build_of_apache_camel_for_spring_boot | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28368 is a high-severity security vulnerability in Undertow, a web server component. The issue arises from Undertow's inconsistent parsing of HTTP headers, where it splits header names from their values based on either the first space or colon encountered.
This parsing method allows attackers to craft malicious HTTP requests containing headers that are recognized and processed by Undertow but remain invisible to upstream proxies. Such discrepancies enable HTTP request smuggling attacks.
In essence, the vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies, leading to potential security bypass.
How can this vulnerability impact me? :
This vulnerability can be exploited to launch HTTP request smuggling attacks, which may allow attackers to bypass security controls and access unauthorized resources.
- Unauthorized access to protected resources.
- Request hijacking or manipulation.
- Potential compromise of data confidentiality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing HTTP requests and responses for inconsistencies in header parsing between Undertow and upstream proxies. Specifically, monitoring for specially crafted HTTP requests where header names are parsed differently by Undertow compared to other components can indicate exploitation attempts.
Network traffic inspection tools or proxy logs can be used to identify suspicious requests that contain unusual header formatting, such as headers with spaces or colons that might be interpreted differently.
While no specific commands are provided in the available resources, common approaches include using tools like curl or netcat to send crafted HTTP requests and observing server behavior, or employing intrusion detection systems with rules targeting HTTP request smuggling patterns.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Undertow to a patched version once available, as the vulnerability arises from its header parsing logic.
In the meantime, configuring upstream proxies and web servers to normalize or strictly validate HTTP headers can reduce the risk of request smuggling attacks.
Additionally, monitoring and blocking suspicious HTTP requests with malformed headers can help prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability enables HTTP request smuggling attacks that can lead to unauthorized access and request hijacking. Such unauthorized access to protected resources or sensitive data could potentially result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate strict controls over data privacy and security.
By bypassing security controls through this flaw, organizations using Undertow may inadvertently expose personal or sensitive information, increasing the risk of data breaches and regulatory violations.