anonhaven
Ad

CVE-2026-28369

CRITICAL CVSS 3.1: 9.1 EPSS 0.15%
Updated Mar 31, 2026
Red Hat
Parameter Value
CVSS 9.1 (CRITICAL)
Type CWE-444
Vendor Red Hat
Public PoC No

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling.

Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-444

Vulnerable Products 11

Configuration From (including) Up to (excluding)
Redhat Build_Of_Apache_Camel_-_Hawtio
cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:*
Redhat Build_Of_Apache_Camel_For_Spring_Boot
cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:*
Redhat Data_Grid
cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*
Redhat Fuse
cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:*
Redhat Jboss_Enterprise_Application_Platform
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
Redhat Jboss_Enterprise_Application_Platform
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
Redhat Jboss_Enterprise_Application_Platform_Expansion_Pack
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
Redhat Process_Automation
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
Redhat Single_Sign-On
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
Redhat Undertow
cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*
Redhat Enterprise_Linux
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

References 2

https://access.redhat.com/security/cve/CVE-2026-28369
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2443262
secalert@redhat.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-28368

Red Hat

9.1

CVE-2026-0965

Red Hat

3.3

CVE-2026-0967

Red Hat

2.2

CVE-2026-2272

GIMP

6.5

CVE-2026-2239

GIMP

6.5