What is the CVSS score of EUVD-2026-16694?

EUVD-2026-16694 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Apache are affected by EUVD-2026-16694?

CVE-2026-28367 affects Red Hat JBoss EAP, Fuse, Data Grid, and RHEL 8-10 systems, enabling unauthenticated remote attackers to manipulate HTTP requests and bypass security controls through malformed…

Apache EUVD-2026-16694

| CVE-2026-28367 HIGH

HTTP Request/Response Smuggling (CWE-444)

2026-03-27 redhat

GHSA-3gv6-g396-9v4r

Authentication Bypass Apache Google Request Smuggling

8.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 27, 2026 - 16:45 euvd

EUVD-2026-16694

Analysis Generated

Mar 27, 2026 - 16:45 vuln.today

CVE Published

Mar 27, 2026 - 16:13 nvd

HIGH 8.7

DescriptionNVD

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending \r\r\r as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

AnalysisAI

Undertow HTTP request smuggling via malformed header terminator allows remote unauthenticated attackers to bypass security controls and manipulate web requests through vulnerable proxies including older Apache Traffic Server and Google Cloud Classic Application Load Balancer. With CVSS 8.7 (High/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N), the vulnerability affects multiple Red Hat product lines including JBoss EAP 7 and 8, Fuse 7, Data Grid 8, and RHEL 8-10 distributions. …

RemediationAI

Within 24 hours: inventory all JBoss EAP 7 and 8, Fuse 7, Data Grid 8, and RHEL 8-10 deployments; determine exposure via Apache Traffic Server or Google Cloud Classic ALB proxies. Within 7 days: implement network segmentation to restrict direct access to affected systems and deploy WAF rules to detect malformed HTTP header terminators; contact Red Hat for patch timeline. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-44739 HIGH This Week

8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-8842 MEDIUM This Month

6.4 May 27

Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenti

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

Vendor StatusVendor

EUVD-2026-16694 vulnerability details – vuln.today

Back

Apache EUVD-2026-16694

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code