Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator
Summary
| CVE | CVE-2026-28367 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-27 17:16:27 UTC |
| Updated | 2026-04-10 14:22:53 UTC |
| Description | A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS: 0.000420000 probability, percentile 0.127410000 (date 2026-04-15)
Problem Types: CWE-444 | CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | [email protected] | Secondary | 8.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
| 3.1 | CNA | CVSS | 8.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Redhat | Build Of Apache Camel - Hawtio | 4.0 | All | All | All |
| Application | Redhat | Build Of Apache Camel For Spring Boot | 4.0 | All | All | All |
| Application | Redhat | Data Grid | 8.0 | All | All | All |
| Application | Redhat | Fuse | 7.0.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.0.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 8.0.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform Expansion Pack | - | All | All | All |
| Application | Redhat | Process Automation | 7.0 | All | All | All |
| Application | Redhat | Single Sign-on | 7.0 | All | All | All |
| Application | Redhat | Undertow | - | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | Issue Tracking, Vendor Advisory |
| access.redhat.com/security/cve/CVE-2026-28367 | [email protected] | access.redhat.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-02-27T00:00:00.000Z | Reported to Red Hat. |
| CNA | 2025-08-27T00:00:00.000Z | Made public. |
Workarounds
CNA: To mitigate this vulnerability, configure any proxy servers positioned in front of Undertow to strictly validate HTTP header terminations. Ensure that these proxies are configured to reject or normalize non-standard header block terminators, such as `\r\r\r`, before forwarding requests to Undertow. This operational control helps prevent request smuggling attacks by ensuring that only properly formed HTTP requests reach the Undertow server.