Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Network-reachable and unauthenticated, but AC:H because exploitation depends on a permissive front-end proxy; scope changes as smuggled requests cross the proxy/server trust boundary, high C/I, no availability impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
8DescriptionNVD
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.
AnalysisAI
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.
Technical ContextAI
Undertow is the high-performance non-blocking HTTP server written by Red Hat and embedded across the JBoss/WildFly ecosystem, Red Hat Data Grid 8, Fuse 7, and the Camel for Spring Boot/Hawtio 4 distributions. The flaw is a CWE-444 Inconsistent Interpretation of HTTP Requests: per RFC 7230 §3, a request line and header field-name must not be preceded by whitespace, and conformant intermediaries must reject such messages. Undertow instead silently strips leading whitespace from the first header line, so a request that an upstream proxy (HAProxy, nginx, Apache, an API gateway, or AWS ALB) interprets one way is reframed by Undertow as a different request - the classic precondition for HTTP request/response smuggling against a shared TCP connection or cache.
RemediationAI
Patch available per vendor advisory: apply Red Hat errata RHSA-2026:25125 and RHSA-2026:25126 (https://access.redhat.com/errata/RHSA-2026:25125, https://access.redhat.com/errata/RHSA-2026:25126) to update Undertow across affected JBoss EAP, Data Grid, Fuse, Camel, and RHEL channels; exact fixed Undertow versions are not enumerated in the supplied data, so confirm the build via the Red Hat CVE page at https://access.redhat.com/security/cve/CVE-2026-28369 and Bugzilla 2443262. Until patching, place an RFC-strict reverse proxy in front of Undertow that rejects requests whose first header line begins with whitespace (modern nginx, Apache httpd with mod_security CRS rule 920270, or HAProxy with 'option http-no-strict' disabled) - the trade-off is potential breakage of any non-conforming clients. Disable HTTP/1.1 keep-alive or connection reuse on the proxy-to-Undertow leg to neutralise the smuggling primitive at the cost of throughput, and segregate sensitive endpoints behind a separately-fronted listener so a successful smuggle cannot pivot between security zones.
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Remote code execution in Red Hat Apache Camel Infinispan component allows low-privileged attackers to execute arbitrary
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16698
GHSA-vqqj-9cmv-hx43