CVE-2026-28368
Modified Modified - Updated After Analysis
HTTP Request Smuggling Vulnerability in Undertow Allows Unauthorized Access

Publication date: 2026-03-27

Last updated on: 2026-06-10

Assigner: Red Hat, Inc.

Description
A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-06-10
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28368
EUVD
EUVD-2026-16696
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
redhat jboss_enterprise_application_platform 7.0.0
redhat undertow *
redhat single_sign-on 7.0
redhat process_automation 7.0
redhat data_grid 8.0
redhat jboss_enterprise_application_platform_expansion_pack *
redhat enterprise_linux 9.0
redhat jboss_enterprise_application_platform 8.0.0
redhat fuse 7.0.0
redhat build_of_apache_camel_-_hawtio 4.0
redhat build_of_apache_camel_for_spring_boot 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability enables HTTP request smuggling attacks that can lead to unauthorized access and request hijacking. Such unauthorized access to protected resources or sensitive data could potentially result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate strict controls over data privacy and security.

By bypassing security controls through this flaw, organizations using Undertow may inadvertently expose personal or sensitive information, increasing the risk of data breaches and regulatory violations.

Executive Summary

CVE-2026-28368 is a high-severity security vulnerability in Undertow, a web server component. The issue arises from Undertow's inconsistent parsing of HTTP headers, where it splits header names from their values based on either the first space or colon encountered.

This parsing method allows attackers to craft malicious HTTP requests containing headers that are recognized and processed by Undertow but remain invisible to upstream proxies. Such discrepancies enable HTTP request smuggling attacks.

In essence, the vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies, leading to potential security bypass.

Impact Analysis

This vulnerability can be exploited to launch HTTP request smuggling attacks, which may allow attackers to bypass security controls and access unauthorized resources.

  • Unauthorized access to protected resources.
  • Request hijacking or manipulation.
  • Potential compromise of data confidentiality and integrity.
Detection Guidance

This vulnerability can be detected by analyzing HTTP requests and responses for inconsistencies in header parsing between Undertow and upstream proxies. Specifically, monitoring for specially crafted HTTP requests where header names are parsed differently by Undertow compared to other components can indicate exploitation attempts.

Network traffic inspection tools or proxy logs can be used to identify suspicious requests that contain unusual header formatting, such as headers with spaces or colons that might be interpreted differently.

While no specific commands are provided in the available resources, common approaches include using tools like curl or netcat to send crafted HTTP requests and observing server behavior, or employing intrusion detection systems with rules targeting HTTP request smuggling patterns.

Mitigation Strategies

Immediate mitigation steps include updating Undertow to a patched version once available, as the vulnerability arises from its header parsing logic.

In the meantime, configuring upstream proxies and web servers to normalize or strictly validate HTTP headers can reduce the risk of request smuggling attacks.

Additionally, monitoring and blocking suspicious HTTP requests with malformed headers can help prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28368. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart