Description
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Published: 2026-03-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Request smuggling that can allow unauthorized access or manipulation of web requests
Action: Immediate Patch
AI Analysis

Impact

A flaw in Undertow permits a remote attacker to send the characters \r\r\r as a header block terminator. This non‑standard terminator causes certain proxy servers to mis‑parse HTTP requests, enabling request smuggling. The resulting smuggled request can reach backend services without the original client’s knowledge, potentially allowing the attacker to bypass access controls, alter request data, or perform other unauthorized actions. The weakness is documented as CWE‑444, a protocol downgrade or downgrade of protocol security.

Affected Systems

This issue affects a wide range of Red Hat products that embed Undertow, including Red Hat Data Grid 8, Red Hat JBoss Enterprise Application Platform versions 7 and 8, Red Hat Fuse 7, Red Hat Process Automation 7, Red Hat Single Sign‑On 7, Red Hat build of Apache Camel – HawtIO 4 and Camel for Spring Boot 4, and the Red Hat Enterprise Linux families (8, 9, 10). Specific component versions are not listed, so any release that contains the affected Undertow framework should be considered vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 8.7 marks this as a high severity vulnerability. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, but the exploit vector is remote, requiring only the ability to send crafted HTTP requests to an Undertow server. In environments that use older proxy servers such as Apache Traffic Server or Google Cloud Classic Application Load Balancer, the smuggling can be amplified, making the risk higher for systems that expose Undertow behind such proxies.

Generated by OpenCVE AI on March 27, 2026 at 17:22 UTC.

Remediation

Vendor Workaround

To mitigate this vulnerability, configure any proxy servers positioned in front of Undertow to strictly validate HTTP header terminations. Ensure that these proxies are configured to reject or normalize non-standard header block terminators, such as `\r\r\r`, before forwarding requests to Undertow. This operational control helps prevent request smuggling attacks by ensuring that only properly formed HTTP requests reach the Undertow server.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch or upgrade to the latest release of the affected Red Hat product that contains the fixed Undertow component
  • Configure any front‑end proxy, load balancer, or reverse‑proxy to enforce strict HTTP header termination rules, rejecting or normalizing non‑standard \r\r\r sequences before forwarding requests to Undertow
  • If a patch or a compliant proxy is not yet available, isolate Undertow services behind a hardened firewall or a separate proxy that filters malformed HTTP traffic
  • Monitor application logs and network traffic for abnormal carriage‑return characters or signs of request smuggling to detect attempted exploitation
  • Verify that no older, vulnerable proxy servers remain in service for connections to Undertow

Generated by OpenCVE AI on March 27, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Title Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator
First Time appeared Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-444
CPEs cpe:/a:redhat:apache_camel_hawtio:4
cpe:/a:redhat:camel_spring_boot:4
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Redhat Apache Camel Hawtio Camel Spring Boot Enterprise Linux Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Red Hat Single Sign On
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-27T17:00:45.370Z

Reserved: 2026-02-27T04:42:16.439Z

Link: CVE-2026-28367

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T17:16:27.750

Modified: 2026-03-27T17:16:27.750

Link: CVE-2026-28367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:10Z

Weaknesses