CVE-2026-28369
Modified Modified - Updated After Analysis
HTTP Request Smuggling Vulnerability in Undertow Due to Header Parsing Flaw

Publication date: 2026-03-27

Last updated on: 2026-06-10

Assigner: Red Hat, Inc.

Description
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-06-10
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28369
EUVD
EUVD-2026-16698
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
redhat jboss_enterprise_application_platform 7.0.0
redhat undertow *
redhat single_sign-on 7.0
redhat process_automation 7.0
redhat data_grid 8.0
redhat jboss_enterprise_application_platform_expansion_pack *
redhat enterprise_linux 9.0
redhat jboss_enterprise_application_platform 8.0.0
redhat fuse 7.0.0
redhat build_of_apache_camel_-_hawtio 4.0
redhat build_of_apache_camel_for_spring_boot 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Undertow, a web server component. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly strips these leading spaces before processing the request.

According to HTTP standards, a header line starting with a space or tab (known as "obs-fold") is only valid to continue the previous header line's value. However, applying this to the very first header line is invalid and such requests should be rejected.

Undertow's improper handling of this situation allows a remote attacker to exploit the flaw by performing HTTP request smuggling. This means the attacker can manipulate how requests are parsed and forwarded by the server.

Impact Analysis

This vulnerability can have serious impacts including bypassing security mechanisms, accessing restricted information, and manipulating web caches.

Such actions can lead to unauthorized activities or exposure of sensitive data, potentially compromising the security and integrity of affected systems.

Detection Guidance

This vulnerability involves HTTP request smuggling via malformed HTTP request headers where the first header line starts with one or more spaces. Detection involves monitoring HTTP requests to identify those with a first header line beginning with spaces, which is non-compliant with HTTP standards.

You can use network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests and filter for headers starting with spaces. For example, using tcpdump to capture HTTP traffic on port 80 or 443:

  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -P '^\s'

Alternatively, you can use curl or similar HTTP clients to send crafted requests with leading spaces in the first header line to test if the server improperly processes them.

Mitigation Strategies

Immediate mitigation steps include updating Undertow to a version where this vulnerability is fixed, as the issue arises from improper handling of HTTP headers.

If an update is not immediately possible, consider implementing web application firewall (WAF) rules or reverse proxy filters to reject HTTP requests where the first header line starts with spaces.

Additionally, monitor and restrict incoming HTTP traffic to detect and block suspicious request patterns that could exploit this vulnerability.

Compliance Impact

This vulnerability enables HTTP request smuggling, which can allow attackers to bypass security mechanisms, access restricted information, or manipulate web caches. Such unauthorized access or data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information.

By potentially allowing unauthorized actions or data exposure, this flaw in Undertow could compromise compliance with standards that mandate confidentiality, integrity, and security of data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28369. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart