QSearchQSearch

CVE-2026-28368

8.7 HIGH

A flaw was found in Undertow

Published: 2026-03-27 · Last updated: 2026-06-10

Severity and scoring

CVSS
8.7 HIGH
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE
CWE-444

Affected products

VendorProduct
redhatbuild_of_apache_camel_-_hawtio, build_of_apache_camel_for_spring_boot, data_grid

Description

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-1767 A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
  • CVE-2026-1766 A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
  • CVE-2026-11793 A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
  • CVE-2026-11790 A flaw was found in 389 Directory Server (4.9 MEDIUM)
  • CVE-2026-11789 A flaw was found in 389 Directory Server (4.9 MEDIUM)

Same CWE

  • CVE-2026-50020 Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
  • CVE-2026-46342 Nuxt is an open-source web development framework for Vue.js (5.4 MEDIUM)
  • CVE-2026-6338 A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series
  • CVE-2026-41853 Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks (5.3 MEDIUM)
  • CVE-2026-44546 daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake proces... (3.7 LOW)