Description
A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).
Published: 2026-03-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Assess Impact
AI Analysis

Impact

This vulnerability exists in the Undertow web server component used by several Red Hat products. A remote attacker can send an HTTP GET request that includes multipart/form-data components. If the application processes query parameters via methods such as getParameterMap(), Undertow enumerates and writes the multipart data to disk before the request is fully received. This premature parsing causes disk usage to grow and leads to resource exhaustion, resulting in a denial‑of‑service condition.

Affected Systems

Affected products include Red Hat Data Grid 8, Red Hat Enterprise Linux 10, 8, 9, Red Hat Fuse 7, Red Hat JBoss Enterprise Application Platform 7 and 8 and its Expansion Pack, Red Hat Process Automation 7, Red Hat Single Sign‑On 7, and Red Hat builds of Apache Camel – HawtIO 4 and Camel for Spring Boot 4. Exact version ranges are not specified in the advisory, but any configuration that incorporates Undertow and processes GET parameters may be susceptible.

Risk and Exploitability

The CVSS score is 5.9, indicating moderate severity. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalogue, suggesting a lower likelihood of widespread exploitation at this time. The attack vector is remote over HTTP; the attacker needs only to craft a multipart/form-data GET request targeting a vulnerable application. Because the flaw can consume disk space rapidly, a successful exploit can degrade or halt service availability, imposing a limited but non‑catastrophic impact on affected systems.

Generated by OpenCVE AI on April 8, 2026 at 20:43 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Check Red Hat’s security advisories for a patch or update that addresses the Undertow multipart‑form-data processing flaw.
  • If a patch is available, plan and apply it to all affected systems as soon as possible.
  • Since no official workaround exists, constrain incoming HTTP traffic by blocking or filtering multipart/form-data GET requests from untrusted networks using a firewall or reverse‑proxy.
  • Monitor system logs and disk usage for signs of abnormal multipart traffic or resource exhaustion, and adjust the filter thresholds as needed.
  • If immediate patching is not feasible, document the risk and review the exposure until a fix is released.

Generated by OpenCVE AI on April 8, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3x3v-w654-m28m Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests
History

Wed, 08 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat single Sign-on
CPEs cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Redhat single Sign-on

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Apache Camel - Hawtio
Redhat build Of Apache Camel For Spring Boot
Redhat data Grid
Redhat fuse
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat process Automation
Redhat undertow
Vendors & Products Redhat build Of Apache Camel - Hawtio
Redhat build Of Apache Camel For Spring Boot
Redhat data Grid
Redhat fuse
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat process Automation
Redhat undertow

Tue, 24 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).
Title Undertow: undertow: denial of service due to premature multipart/form-data parsing in get requests
First Time appeared Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-770
CPEs cpe:/a:redhat:apache_camel_hawtio:4
cpe:/a:redhat:camel_spring_boot:4
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat apache Camel Hawtio
Redhat camel Spring Boot
Redhat enterprise Linux
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Apache Camel Hawtio Build Of Apache Camel - Hawtio Build Of Apache Camel For Spring Boot Camel Spring Boot Data Grid Enterprise Linux Fuse Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Process Automation Red Hat Single Sign On Single Sign-on Undertow
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-08T19:34:26.182Z

Reserved: 2026-02-26T14:22:15.920Z

Link: CVE-2026-3260

cve-icon Vulnrichment

Updated: 2026-03-26T12:31:26.719Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T05:16:24.073

Modified: 2026-04-08T19:11:02.547

Link: CVE-2026-3260

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T04:05:00Z

Links: CVE-2026-3260 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:38Z

Weaknesses