Skip to main content

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Network unauthenticated, but requires a specific vulnerable fronting proxy (AC:H); smuggling crosses the proxy/origin trust boundary (S:C) impacting confidentiality and integrity of other users' requests.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Red Hat
8.7 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

8
Analysis Updated
Jun 10, 2026 - 22:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 10, 2026 - 22:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 10, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
Jun 10, 2026 - 22:22 NVD
HIGH CRITICAL
CVSS changed
Jun 10, 2026 - 22:22 NVD
8.7 (HIGH) 9.1 (CRITICAL)
EUVD ID Assigned
Mar 27, 2026 - 16:45 euvd
EUVD-2026-16694
Analysis Generated
Mar 27, 2026 - 16:45 vuln.today
CVE Published
Mar 27, 2026 - 16:13 nvd
HIGH 8.7

DescriptionNVD

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending \r\r\r as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

AnalysisAI

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send \r\r\r as a header block terminator, which can desynchronize parsing when Undertow sits behind specific intermediaries such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. The flaw affects numerous Red Hat distributions of Undertow (JBoss EAP 7/8, Data Grid 8, Fuse 7, Camel for Spring Boot 4, RHEL 8/9/10) and carries a CVSS 9.1, though EPSS is only 0.04% and there is no public exploit identified at time of analysis.

Technical ContextAI

Undertow is the embedded high-performance non-blocking HTTP server used by JBoss EAP, WildFly, and many Red Hat middleware products. This issue is a CWE-444 (Inconsistent Interpretation of HTTP Requests) class flaw: Undertow treats the non-standard sequence \r\r\r as a valid end-of-headers marker, while certain upstream proxies parse it differently. When the front-end and back-end disagree on where one request ends and the next begins, attackers can append a hidden second request inside a single TCP/HTTP connection - classic HTTP request smuggling. The named vulnerable intermediaries (Apache Traffic Server older versions, Google Cloud Classic Application Load Balancer) are the parsers that produce the desync; the Undertow CPE list confirms the back-end exposure across RHEL 8/9/10, JBoss EAP 7/8, Data Grid 8, Fuse 7, and Camel-based products.

RemediationAI

Patch available per vendor advisory - apply the Red Hat errata RHSA-2026:25125 and RHSA-2026:25126 (https://access.redhat.com/errata/RHSA-2026:25125, https://access.redhat.com/errata/RHSA-2026:25126) to bring Undertow to a build that rejects \r\r\r as a header terminator across the affected JBoss EAP, Data Grid, Fuse, Camel and RHEL streams. Where immediate patching is not possible, migrate off Google Cloud Classic Application Load Balancer to the Global/Regional Application Load Balancer (which enforces stricter HTTP parsing) and upgrade Apache Traffic Server to a current release that rejects the malformed terminator - note this can require revalidating origin health checks and any URL-rewrite rules. As a compensating control, place a strict HTTP/1.1 normalizing proxy (e.g., recent nginx or HAProxy with http-request strict-mode) in front of Undertow to reject requests with anomalous CR/LF sequences before they reach the back-end, accepting the operational overhead of an extra hop and stricter rejection of malformed clients.

Vendor StatusVendor

Share

EUVD-2026-16694 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy