CVE-2026-3260
Received Received - Intake
Denial of Service via Multipart Parsing in Undertow Server

Publication date: 2026-03-24

Last updated on: 2026-04-08

Assigner: Red Hat, Inc.

Description
A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3260
EUVD
EUVD-2026-14732
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
redhat jboss_enterprise_application_platform 7.0.0
redhat undertow *
redhat enterprise_linux 8.0
redhat single_sign-on 7.0
redhat process_automation 7.0
redhat data_grid 8.0
redhat jboss_enterprise_application_platform_expansion_pack *
redhat enterprise_linux 9.0
redhat jboss_enterprise_application_platform 8.0.0
redhat enterprise_linux 10.0
redhat fuse 7.0.0
redhat build_of_apache_camel_-_hawtio 4.0
redhat build_of_apache_camel_for_spring_boot 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3260 is a vulnerability in Undertow, a web server component used in Wildfly. It occurs when a remote attacker sends an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), Undertow prematurely parses and stores this multipart content to disk.

This behavior is unusual because GET requests typically do not carry multipart/form-data payloads. The premature parsing and storing of this data can lead to resource exhaustion on the server.

Impact Analysis

The vulnerability can lead to a Denial of Service (DoS) attack. Because the server unnecessarily processes and stores potentially large multipart data sent in GET requests, it can exhaust server resources such as disk space and memory.

This resource exhaustion can cause the server to become unresponsive or crash, impacting availability of the affected application or service.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP GET requests that contain multipart/form-data content, which is unusual since GET requests typically do not carry such payloads.'}, {'type': 'paragraph', 'content': 'You can inspect web server logs or use network traffic analysis tools to identify GET requests with multipart/form-data headers.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like tcpdump or tshark to filter HTTP GET requests with multipart/form-data content might help detect exploitation attempts.'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET' | grep 'multipart/form-data'"}, {'type': 'list_item', 'content': 'tshark -Y \'http.request.method == "GET" && http.content_type contains "multipart/form-data"\' -T fields -e ip.src -e http.host -e http.request.uri'}, {'type': 'paragraph', 'content': 'Additionally, reviewing application logs for calls to parameter-parsing methods like getParameterMap() during GET requests may help identify vulnerable behavior.'}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting or blocking HTTP GET requests that contain multipart/form-data content at the web server or application firewall level.

You should also update Undertow to a version where this vulnerability is fixed, as the issue arises from premature parsing and storing of multipart data on GET requests.

If updating is not immediately possible, consider implementing input validation to reject or ignore multipart/form-data content in GET requests within the application.

Monitoring resource usage to detect unusual disk or memory consumption caused by multipart data processing can also help in early detection and response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3260. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart