CVE-2026-28368

CWE-444 — HTTP Request Smuggling8 documents7 sources

Severity

9.1CRITICAL

EPSS

0.1%

top 70.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Build OF Apache Camel - Hawtio Redhat Build OF Apache Camel FOR Spring Boot Redhat Data Grid +5 more

Timeline

PublishedMar 27

Description

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.8

Affected Packages8 packages

▶Mavenio.undertow:undertow-parent2.3.23.Final

▶NVDredhat/fuse7.0.0

▶NVDredhat/data_grid8.0

▶NVDredhat/single_sign-on7.0

▶NVDredhat/process_automation7.0

Also affects: Enterprise Linux 9.0

🔴Vulnerability Details

GHSA

Undertow is Vulnerable to HTTP Request/Response Smuggling↗2026-03-27

▶

OSV

CVE-2026-28368: A flaw was found in Undertow↗2026-03-27

▶

CVEList

Undertow: undertow: request smuggling via inconsistent header parsing↗2026-03-27

▶

OSV

Undertow is Vulnerable to HTTP Request/Response Smuggling↗2026-03-27

▶

📋Vendor Advisories

Debian

CVE-2026-28368: undertow - A flaw was found in Undertow. This vulnerability allows a remote attacker to con...↗2026

▶

Red Hat

undertow: Undertow: Request smuggling via inconsistent header parsing↗2025-08-27

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28368 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶