Description
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.
Published: 2026-03-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Request Smuggling
Action: Patch ASAP
AI Analysis

Impact

A flaw in Undertow causes the server to strip leading spaces from the first header line of an HTTP request, violating the HTTP standard. This mishandling can be leveraged to execute request smuggling, allowing an attacker to bypass security controls, gain unauthorized access, or modify cache entries, potentially exposing confidential data or performing arbitrary actions on the server.

Affected Systems

Red Hat products affected include Red Hat Data Grid 8, Red Hat Enterprise Linux 10, 8 and 9, Red Hat Fuse 7, Red Hat JBoss Enterprise Application Platform 7 and 8 along with the expansion pack, Red Hat Process Automation 7, Red Hat Single Sign‑On 7, and the Red Hat build of Apache Camel – HawtIO 4 and of Apache Camel for Spring Boot 4. The vulnerability is present in the Undertow component used by these products; any release containing the vulnerable Undertow version is treated as impacted.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is high severity, and EPSS indicates an exploitation likelihood under 1 % while it is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring the attacker to send a malicious HTTP request that begins with leading spaces. If exposed to the Internet, this provides a low‑but‑non‑negligible risk of data exposure or unauthorized intrusion via request smuggling.

Generated by OpenCVE AI on March 31, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Red Hat updates that contain the Undertow patch for CVE‑2026‑28369.
  • If an update is not yet available, block or reject HTTP requests that start with leading spaces using a firewall, proxy, or application‑level filter.
  • Confirm that the affected products are running a fixed version of Undertow; perform a version audit.
  • Monitor ingress traffic for malformed HTTP headers and alert on suspicious activity.
  • Maintain regular patch‑management cycles and review Red Hat advisories for future updates.

Generated by OpenCVE AI on March 31, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vqqj-9cmv-hx43 Undertow is Vulnerable to HTTP Request/Response Smuggling
History

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat single Sign-on
Redhat undertow
CPEs cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Redhat single Sign-on
Redhat undertow

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Apache Camel - Hawtio
Redhat build Of Apache Camel For Spring Boot
Redhat data Grid
Redhat fuse
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat process Automation
Vendors & Products Redhat build Of Apache Camel - Hawtio
Redhat build Of Apache Camel For Spring Boot
Redhat data Grid
Redhat fuse
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat process Automation

Sun, 29 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.
Title Undertow: undertow: request smuggling via malformed http request headers
First Time appeared Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-444
CPEs cpe:/a:redhat:apache_camel_hawtio:4
cpe:/a:redhat:camel_spring_boot:4
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Redhat Apache Camel Hawtio Build Of Apache Camel - Hawtio Build Of Apache Camel For Spring Boot Camel Spring Boot Data Grid Enterprise Linux Fuse Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Process Automation Red Hat Single Sign On Single Sign-on Undertow
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-08T08:29:32.945Z

Reserved: 2026-02-27T04:42:16.439Z

Link: CVE-2026-28369

cve-icon Vulnrichment

Updated: 2026-03-29T13:56:07.822Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T17:16:28.240

Modified: 2026-03-31T18:08:21.153

Link: CVE-2026-28369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:04Z

Weaknesses