Description
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Published: 2026-03-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Request Smuggling
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in Undertow, where a remote attacker can send three consecutive carriage return characters (\r\r\r) as the header block terminator. This malformed terminator is interpreted by some older HTTP gateway software as the end of the header section, allowing an attacker to split a single logical request into multiple physical requests. The resulting request smuggling can lead to unauthorized access or manipulation of web requests, enabling the attacker to bypass security controls, read or overwrite sensitive data, or trigger unintended operations. The weakness is classified as HTTP Request Smuggling (CWE‑444).

Affected Systems

Affected products include several Red Hat distributions that embed Undertow, such as Red Hat Enterprise Linux 8, 9 and 10, Red Hat Data Grid 8, Red Hat Fuse 7, the JBoss Enterprise Application Platform 7 and 8 along with their Expansion Packs, Red Hat Process Automation 7, Red Hat Single Sign‑On 7, and Red Hat builds of Apache Camel – HawtIO 4 and Apache Camel for Spring Boot 4. The specific versions impacted are not explicitly listed in the advisory, but the caveat applies to all releases that contain the vulnerable Undertow component before it receives an official fix from Red Hat.

Risk and Exploitability

The issue carries a CVSS score of 8.7, indicating high severity, but the EPSS score of less than 1 % suggests the likelihood of exploitation at this time is low. The vulnerability is not listed in CISA’s KEV catalog, meaning no publicly known exploits have been documented. The attack requires a remote attacker to craft a request that uses the non‑standard \r\r\r terminator and the traffic must pass through a proxy or load balancer that incorrectly parses headers, such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. Given the need for specific gateway behavior, exploitation success is contingent upon the presence of those intermediaries.

Generated by OpenCVE AI on April 10, 2026 at 15:22 UTC.

Remediation

Vendor Workaround

To mitigate this vulnerability, configure any proxy servers positioned in front of Undertow to strictly validate HTTP header terminations. Ensure that these proxies are configured to reject or normalize non-standard header block terminators, such as `\r\r\r`, before forwarding requests to Undertow. This operational control helps prevent request smuggling attacks by ensuring that only properly formed HTTP requests reach the Undertow server.

OpenCVE Recommended Actions

  • Apply the latest Red Hat security update that includes a fixed version of Undertow.
  • Configure any proxy servers or load balancers in front of Undertow to strictly validate HTTP header terminators, rejecting or normalizing non‑standard sequences such as `\r\r\r`.
  • If a proxy cannot be adjusted, isolate the affected services behind a firewall or network segmentation to limit exposure to potential smuggling traffic.
  • Monitor HTTP traffic for abnormal header terminators and review logs for repeated smuggling attempts.

Generated by OpenCVE AI on April 10, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3gv6-g396-9v4r Undertow is Vulnerable to HTTP Request/Response Smuggling
History

Fri, 10 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat single Sign-on
Redhat undertow
CPEs cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*
Vendors & Products Redhat single Sign-on
Redhat undertow

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Apache Camel - Hawtio
Redhat build Of Apache Camel For Spring Boot
Redhat data Grid
Redhat fuse
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat process Automation
Vendors & Products Redhat build Of Apache Camel - Hawtio
Redhat build Of Apache Camel For Spring Boot
Redhat data Grid
Redhat fuse
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat process Automation

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Title Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator
First Time appeared Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-444
CPEs cpe:/a:redhat:apache_camel_hawtio:4
cpe:/a:redhat:camel_spring_boot:4
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Redhat Apache Camel Hawtio Build Of Apache Camel - Hawtio Build Of Apache Camel For Spring Boot Camel Spring Boot Data Grid Enterprise Linux Fuse Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Process Automation Red Hat Single Sign On Single Sign-on Undertow
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-10T14:50:20.986Z

Reserved: 2026-02-27T04:42:16.439Z

Link: CVE-2026-28367

cve-icon Vulnrichment

Updated: 2026-03-31T13:27:49.899Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T17:16:27.750

Modified: 2026-04-10T14:22:53.400

Link: CVE-2026-28367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:14Z

Weaknesses