Skip to main content

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Network-reachable and unauthenticated, but AC:H because exploitation depends on a permissive front-end proxy; scope changes as smuggled requests cross the proxy/server trust boundary, high C/I, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Red Hat
8.7 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

8
Analysis Updated
Jun 10, 2026 - 22:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 10, 2026 - 22:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 10, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
Jun 10, 2026 - 22:22 NVD
HIGH CRITICAL
CVSS changed
Jun 10, 2026 - 22:22 NVD
8.7 (HIGH) 9.1 (CRITICAL)
EUVD ID Assigned
Mar 27, 2026 - 16:45 euvd
EUVD-2026-16698
Analysis Generated
Mar 27, 2026 - 16:45 vuln.today
CVE Published
Mar 27, 2026 - 16:13 nvd
HIGH 8.7

DescriptionNVD

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.

AnalysisAI

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.

Technical ContextAI

Undertow is the high-performance non-blocking HTTP server written by Red Hat and embedded across the JBoss/WildFly ecosystem, Red Hat Data Grid 8, Fuse 7, and the Camel for Spring Boot/Hawtio 4 distributions. The flaw is a CWE-444 Inconsistent Interpretation of HTTP Requests: per RFC 7230 §3, a request line and header field-name must not be preceded by whitespace, and conformant intermediaries must reject such messages. Undertow instead silently strips leading whitespace from the first header line, so a request that an upstream proxy (HAProxy, nginx, Apache, an API gateway, or AWS ALB) interprets one way is reframed by Undertow as a different request - the classic precondition for HTTP request/response smuggling against a shared TCP connection or cache.

RemediationAI

Patch available per vendor advisory: apply Red Hat errata RHSA-2026:25125 and RHSA-2026:25126 (https://access.redhat.com/errata/RHSA-2026:25125, https://access.redhat.com/errata/RHSA-2026:25126) to update Undertow across affected JBoss EAP, Data Grid, Fuse, Camel, and RHEL channels; exact fixed Undertow versions are not enumerated in the supplied data, so confirm the build via the Red Hat CVE page at https://access.redhat.com/security/cve/CVE-2026-28369 and Bugzilla 2443262. Until patching, place an RFC-strict reverse proxy in front of Undertow that rejects requests whose first header line begins with whitespace (modern nginx, Apache httpd with mod_security CRS rule 920270, or HAProxy with 'option http-no-strict' disabled) - the trade-off is potential breakage of any non-conforming clients. Disable HTTP/1.1 keep-alive or connection reuse on the proxy-to-Undertow leg to neutralise the smuggling primitive at the cost of throughput, and segregate sensitive endpoints behind a separately-fronted listener so a successful smuggle cannot pivot between security zones.

Vendor StatusVendor

Share

CVE-2026-28369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy