CVE-2026-28369
HTTP Request Smuggling Vulnerability in Undertow Due to Header Parsing Flaw
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | jboss_enterprise_application_platform | 7.0.0 |
| redhat | undertow | * |
| redhat | single_sign-on | 7.0 |
| redhat | process_automation | 7.0 |
| redhat | data_grid | 8.0 |
| redhat | jboss_enterprise_application_platform_expansion_pack | * |
| redhat | enterprise_linux | 9.0 |
| redhat | jboss_enterprise_application_platform | 8.0.0 |
| redhat | fuse | 7.0.0 |
| redhat | build_of_apache_camel_-_hawtio | 4.0 |
| redhat | build_of_apache_camel_for_spring_boot | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Undertow, a web server component. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly strips these leading spaces before processing the request.
According to HTTP standards, a header line starting with a space or tab (known as "obs-fold") is only valid to continue the previous header line's value. However, applying this to the very first header line is invalid and such requests should be rejected.
Undertow's improper handling of this situation allows a remote attacker to exploit the flaw by performing HTTP request smuggling. This means the attacker can manipulate how requests are parsed and forwarded by the server.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including bypassing security mechanisms, accessing restricted information, and manipulating web caches.
Such actions can lead to unauthorized activities or exposure of sensitive data, potentially compromising the security and integrity of affected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves HTTP request smuggling via malformed HTTP request headers where the first header line starts with one or more spaces. Detection involves monitoring HTTP requests to identify those with a first header line beginning with spaces, which is non-compliant with HTTP standards.
You can use network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests and filter for headers starting with spaces. For example, using tcpdump to capture HTTP traffic on port 80 or 443:
- tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -P '^\s'
Alternatively, you can use curl or similar HTTP clients to send crafted requests with leading spaces in the first header line to test if the server improperly processes them.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Undertow to a version where this vulnerability is fixed, as the issue arises from improper handling of HTTP headers.
If an update is not immediately possible, consider implementing web application firewall (WAF) rules or reverse proxy filters to reject HTTP requests where the first header line starts with spaces.
Additionally, monitor and restrict incoming HTTP traffic to detect and block suspicious request patterns that could exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability enables HTTP request smuggling, which can allow attackers to bypass security mechanisms, access restricted information, or manipulate web caches. Such unauthorized access or data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information.
By potentially allowing unauthorized actions or data exposure, this flaw in Undertow could compromise compliance with standards that mandate confidentiality, integrity, and security of data.