Description
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.
Published: 2026-03-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote request smuggling leading to data exposure
Action: Immediate Patch
AI Analysis

Impact

The issue arises in Undertow when a request header begins with whitespace. Undertow strips the leading spaces, violating HTTP specifications and enabling request smuggling. A remote attacker can craft such headers to cause the server to misinterpret requests, allowing them to bypass authentication checks, duplicate or collide HTTP messages, manipulate server-side caches, and potentially read or modify sensitive data. This flaw can lead to unauthorized data exposure or actions against the affected system.

Affected Systems

Affected vendors include Red Hat, whose products rely on Undertow in several offerings. The vulnerable products list includes Red Hat Data Grid 8, Red Hat Enterprise Linux 10, 8, and 9, Red Hat Fuse 7, Red Hat JBoss Enterprise Application Platform 7 and 8, Red Hat Process Automation 7, Red Hat Single Sign‑On 7, and Red Hat builds of Apache Camel – HawtIO 4 and Camel for Spring Boot 4. Version details are not provided, so any deployment using Undertow within these products is potentially affected.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑impact vulnerability. EPSS is not available and the issue is not listed in KEV, suggesting no known exploitation campaigns yet, but the nature of the flaw allows remote exploitation over HTTP. An attacker only needs network access to the affected service and can manipulate the HTTP traffic to perform smuggling. As the flaw violates standards, validators and proxies that enforce correct header formatting could mitigate the risk until a patch is applied.

Generated by OpenCVE AI on March 27, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or update for Red Hat products that addresses the Undertow request smuggling flaw.
  • If no patch is available, filter or validate incoming HTTP requests to reject lines with leading spaces using a reverse proxy or firewall rule.
  • Monitor Red Hat security advisories (https://access.redhat.com/security/cve/CVE-2026-28369) for updates and apply promptly.
  • Ensure that web application servers are configured to enforce strict HTTP header parsing to avoid silent header truncation.
  • If possible, isolate or restrict the exposed Undertow service to trusted networks to limit attacker access.

Generated by OpenCVE AI on March 27, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.
Title Undertow: undertow: request smuggling via malformed http request headers
First Time appeared Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-444
CPEs cpe:/a:redhat:apache_camel_hawtio:4
cpe:/a:redhat:camel_spring_boot:4
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Redhat Apache Camel Hawtio Camel Spring Boot Enterprise Linux Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Red Hat Single Sign On
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-28T03:55:50.877Z

Reserved: 2026-02-27T04:42:16.439Z

Link: CVE-2026-28369

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T17:16:28.240

Modified: 2026-03-27T17:16:28.240

Link: CVE-2026-28369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:09Z

Weaknesses