The flaw is in the core of the Undertow HTTP server, the component used in WildFly, JBoss EAP, and other Java applications. It fails to validate the Host header of incoming HTTP requests. As a result, requests that contain malformed or malicious Host headers are accepted instead of rejected, enabling attackers to poison server caches, carry out internal network scans, or hijack user sessions. This weakness is classified as input validation (CWE‑20).

The vulnerability impacts the Red Hat product families that embed Undertow: Red Hat Enterprise Linux 8, 9, and 10; Red Hat Data Grid 8; Red Hat Fuse 7; Red Hat JBoss Enterprise Application Platform 7.4, 8.0, 8.1; the Enterprise Application Platform Expansion Pack; Red Hat Process Automation 7; Red Hat Single Sign‑On 7; as well as Red Hat builds of Apache Camel HawtIO 4 and Apache Camel 4.14.4 for Spring Boot 3.5.11. No specific Undertow or Java application version numbers are provided in the supplied data.

With a CVSS score of 9.6 and an EPSS score below 1%, the flaw is high severity but has a low exploitation probability under normal circumstances. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need network access to a publicly or internally reachable HTTP service running an affected Undertow‑based application and would inject a crafted Host header to manipulate cache entries, trigger internal scans, or hijack user sessions. The high severity score indicates substantial impact on confidentiality, integrity, and availability if exploitation succeeds.