Skip to main content

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Remote unauthenticated over HTTP (AV:N/PR:N/UI:N); AC:H because exploitation requires a specific tolerant-vs-strict proxy pairing; S:C because smuggling crosses the proxy trust boundary; no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Red Hat
8.7 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

8
Analysis Updated
Jun 10, 2026 - 22:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 10, 2026 - 22:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 10, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
Jun 10, 2026 - 22:22 NVD
HIGH CRITICAL
CVSS changed
Jun 10, 2026 - 22:22 NVD
8.7 (HIGH) 9.1 (CRITICAL)
EUVD ID Assigned
Mar 27, 2026 - 16:45 euvd
EUVD-2026-16696
Analysis Generated
Mar 27, 2026 - 16:45 vuln.today
CVE Published
Mar 27, 2026 - 16:13 nvd
HIGH 8.7

DescriptionNVD

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.

AnalysisAI

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.

Technical ContextAI

Undertow is the high-performance non-blocking HTTP server used as the embedded web layer in JBoss EAP/Wildfly and many Red Hat middleware products. CWE-444 (Inconsistent Interpretation of HTTP Requests, a.k.a. HTTP Request Smuggling) arises when two HTTP processors in a chain - typically a fronting proxy/load balancer and the origin server - disagree on where one request ends and the next begins. In this case Undertow's header-name parser tolerates or normalizes characters differently than upstream proxies, so an attacker can craft a single TCP message that the proxy treats as one request but Undertow splits into two, smuggling the trailing request past proxy-level auth, WAF, or routing rules.

RemediationAI

Apply Patch available per vendor advisory by installing the Red Hat errata RHSA-2026:25125 (https://access.redhat.com/errata/RHSA-2026:25125) and RHSA-2026:25126 (https://access.redhat.com/errata/RHSA-2026:25126), which update the Undertow packages shipped in the affected RHEL, JBoss EAP, Data Grid, Fuse, and Camel products; cross-reference https://access.redhat.com/security/cve/CVE-2026-28368 for the per-product fixed component versions. Where immediate patching is not possible, configure the fronting proxy to strictly validate and normalize HTTP header names (reject non-token characters, reject ambiguous Content-Length/Transfer-Encoding combinations) and terminate any connection that contains malformed headers - note this can break legitimate clients that send non-RFC-compliant headers. Disabling HTTP/1.1 connection reuse (keep-alive) between the proxy and Undertow also eliminates the smuggling primitive at the cost of significant throughput loss, and is only acceptable as a short-term mitigation.

Vendor StatusVendor

Share

CVE-2026-28368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy