CVE-2026-28367 — HTTP Request Smuggling in Redhat Build OF Apache Camel FOR Spring Boot

CWE-444 — HTTP Request Smuggling8 documents7 sources

Severity

9.1CRITICALNVD

CNA8.7

EPSS

0.0%

top 87.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

7

Redhat Build OF Apache Camel FOR Spring Boot Redhat Build OF Apache Camel Hawtio Redhat Data Grid +4 more

Timeline

PublishedMar 27

Description

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages7 packages

▶NVDredhat/build_of_apache_camel4.0

▶NVDredhat/build_of_apache_camel_hawtio4.0

▶NVDredhat/jboss_enterprise_application_platform7.0.0, 8.0.0+1

▶NVDredhat/fuse7.0.0

▶NVDredhat/data_grid8.0

🔴Vulnerability Details

4

GHSA

Undertow is Vulnerable to HTTP Request/Response Smuggling↗2026-03-27

▶

OSV

CVE-2026-28367: A flaw was found in Undertow↗2026-03-27

▶

OSV

Undertow is Vulnerable to HTTP Request/Response Smuggling↗2026-03-27

▶

CVEList

Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator↗2026-03-27

▶

📋Vendor Advisories

2

Debian

CVE-2026-28367: undertow - A flaw was found in Undertow. A remote attacker can exploit this vulnerability b...↗2026

▶

Red Hat

undertow: Undertow: Request smuggling via `\r\r\r` as a header block terminator↗2025-08-27

▶

🕵️Threat Intelligence

1

Wiz

CVE-2026-28367 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶