QSearchQSearch

CVE-2026-28367

8.7 HIGH

A flaw was found in Undertow

Published: 2026-03-27 · Last updated: 2026-06-10

Severity and scoring

CVSS
8.7 HIGH
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE
CWE-444

Affected products

VendorProduct
redhatbuild_of_apache_camel_-_hawtio, build_of_apache_camel_for_spring_boot, data_grid

Description

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-1767 A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
  • CVE-2026-1766 A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
  • CVE-2026-11793 A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
  • CVE-2026-11790 A flaw was found in 389 Directory Server (4.9 MEDIUM)
  • CVE-2026-11789 A flaw was found in 389 Directory Server (4.9 MEDIUM)

Same CWE

  • CVE-2026-50020 Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
  • CVE-2026-46342 Nuxt is an open-source web development framework for Vue.js (5.4 MEDIUM)
  • CVE-2026-6338 A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series
  • CVE-2026-41853 Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks (5.3 MEDIUM)
  • CVE-2026-44546 daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake proces... (3.7 LOW)