Skip to main content

Red Hat Build Of Apache Camel Hawtio 4

3 CVEs product

Monthly

CVE-2026-28369 Maven CRITICAL GHSA Act Now

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.

Information Disclosure Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Build Of Apache Camel Hawtio 4 Red Hat Data Grid 8 +9
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-28367 Maven CRITICAL GHSA Act Now

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator, which can desynchronize parsing when Undertow sits behind specific intermediaries such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. The flaw affects numerous Red Hat distributions of Undertow (JBoss EAP 7/8, Data Grid 8, Fuse 7, Camel for Spring Boot 4, RHEL 8/9/10) and carries a CVSS 9.1, though EPSS is only 0.04% and there is no public exploit identified at time of analysis.

Apache Google Authentication Bypass Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 +11
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-28368 Maven CRITICAL GHSA Act Now

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.

Authentication Bypass Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Build Of Apache Camel Hawtio 4 Red Hat Data Grid 8 +9
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
EPSS 0% CVSS 9.1
CRITICAL Act Now

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.

Information Disclosure Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 +11
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator, which can desynchronize parsing when Undertow sits behind specific intermediaries such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. The flaw affects numerous Red Hat distributions of Undertow (JBoss EAP 7/8, Data Grid 8, Fuse 7, Camel for Spring Boot 4, RHEL 8/9/10) and carries a CVSS 9.1, though EPSS is only 0.04% and there is no public exploit identified at time of analysis.

Apache Google Authentication Bypass +13
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.

Authentication Bypass Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 +11
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy