EUVD-2026-16694
GHSA-3gv6-g396-9v4r
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3Description
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Analysis
Undertow HTTP request smuggling via malformed header terminator allows remote unauthenticated attackers to bypass security controls and manipulate web requests through vulnerable proxies including older Apache Traffic Server and Google Cloud Classic Application Load Balancer. With CVSS 8.7 (High/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N), the vulnerability affects multiple Red Hat product lines including JBoss EAP 7 and 8, Fuse 7, Data Grid 8, and RHEL 8-10 distributions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all JBoss EAP 7 and 8, Fuse 7, Data Grid 8, and RHEL 8-10 deployments; determine exposure via Apache Traffic Server or Google Cloud Classic ALB proxies. Within 7 days: implement network segmentation to restrict direct access to affected systems and deploy WAF rules to detect malformed HTTP header terminators; contact Red Hat for patch timeline. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today