Undertow is Vulnerable to HTTP Request/Response Smuggling

GHSA-8v4x-mgvp-p658 · CVE-2026-28368

Published Mar 27, 2026 · Modified Jun 11, 2026

Description

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-28368
WEB https://access.redhat.com/errata/RHSA-2026:25125
WEB https://access.redhat.com/errata/RHSA-2026:25126
WEB https://access.redhat.com/security/cve/CVE-2026-28368
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2443261
PACKAGE https://github.com/undertow-io/undertow

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes