Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests

GHSA-3x3v-w654-m28m · CVE-2026-3260

Published Mar 24, 2026 · Modified May 21, 2026

Description

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-3260
WEB https://access.redhat.com/security/cve/CVE-2026-3260
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2443010
PACKAGE https://github.com/undertow-io/undertow
WEB https://github.com/undertow-io/undertow/releases/tag/2.4.0.Beta1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes