Description
A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.
Published: 2026-03-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote request smuggling allowing unauthorized access
Action: Apply Patch
AI Analysis

Impact

A flaw exists in Undertow where header names are parsed inconsistently between the server and upstream proxies. This discrepancy, classified as CWE‑444, lets a remote attacker craft requests that the proxy interprets differently than Undertow, enabling a request smuggling attack. By smuggling a secondary request into the upstream service, an attacker can bypass normal authentication or security controls and access resources that should be protected.

Affected Systems

The vulnerability affects several Red Hat products, including Red Hat Enterprise Linux 8, 9, and 10; Red Hat JBoss Enterprise Application Platform 7 and 8; Red Hat JBoss Fuse 7; Red Hat Process Automation 7; Red Hat Single Sign‑On 7; Red Hat Data Grid 8; Red Hat JBoss Enterprise Application Platform Expansion Pack; and Red Hat builds of Apache Camel HawtIO and Camel for Spring Boot 4. Any deployment that uses Undertow as its servlet container is at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, and while EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog, the attack vector is remote and does not require authentication. An attacker can send specifically crafted HTTP requests over the network to an exposed Undertow‑based service, with the headers interpreted differently by a proxy, to smuggle hidden requests into downstream systems. Successful exploitation could result in unauthorized data access, privilege escalation, or disruption of service.

Generated by OpenCVE AI on March 27, 2026 at 17:22 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Check if your environment uses any of the affected Red Hat components listed above.
  • Consult Red Hat security advisories and install any available updates or patches for the affected products.
  • If a patch is not yet released, block or restrict external access to the Undertow services or route traffic through a proxy that normalizes headers.
  • Implement network monitoring to detect anomalous HTTP request patterns indicative of smuggling attempts.
  • Maintain overall system hygiene by applying all other relevant Red Hat security updates and following best‑practice hardening guidelines.

Generated by OpenCVE AI on March 27, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.
Title Undertow: undertow: request smuggling via inconsistent header parsing
First Time appeared Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-444
CPEs cpe:/a:redhat:apache_camel_hawtio:4
cpe:/a:redhat:camel_spring_boot:4
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Redhat Apache Camel Hawtio Camel Spring Boot Enterprise Linux Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Red Hat Single Sign On
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-27T19:57:36.565Z

Reserved: 2026-02-27T04:42:16.439Z

Link: CVE-2026-28368

cve-icon Vulnrichment

Updated: 2026-03-27T18:49:50.042Z

cve-icon NVD

Status : Received

Published: 2026-03-27T17:16:27.993

Modified: 2026-03-27T17:16:27.993

Link: CVE-2026-28368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:11Z

Weaknesses