CVE-2026-28369
8.7 HIGHA flaw was found in Undertow
Published: 2026-03-27 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 8.7 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
- CWE
- CWE-444
Affected products
| Vendor | Product |
|---|---|
| redhat | build_of_apache_camel_-_hawtio, build_of_apache_camel_for_spring_boot, data_grid |
Description
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-28369
- [Other]https://access.redhat.com/errata/RHSA-2026:25125
- [Other]https://access.redhat.com/errata/RHSA-2026:25126
- [Vendor advisory]https://access.redhat.com/security/cve/CVE-2026-28369
- [Vendor advisory]https://bugzilla.redhat.com/show_bug.cgi?id=2443262
Related CVEs
Same vendor
- CVE-2026-1767 — A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
- CVE-2026-1766 — A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
- CVE-2026-11793 — A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11790 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11789 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
Same CWE
- CVE-2026-50020 — Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
- CVE-2026-46342 — Nuxt is an open-source web development framework for Vue.js (5.4 MEDIUM)
- CVE-2026-6338 — A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series
- CVE-2026-41853 — Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks (5.3 MEDIUM)
- CVE-2026-44546 — daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake proces... (3.7 LOW)