CVE-2026-28369

CWE-444 — HTTP Request Smuggling8 documents7 sources

Severity

9.1CRITICAL

EPSS

0.1%

top 64.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Build OF Apache Camel - Hawtio Redhat Build OF Apache Camel FOR Spring Boot Redhat Data Grid +5 more

Timeline

PublishedMar 27

Description

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.8

Affected Packages8 packages

▶Mavenio.undertow:undertow-parent2.3.23.Final

▶NVDredhat/data_grid8.0

▶NVDredhat/fuse7.0.0

▶NVDredhat/single_sign-on7.0

▶NVDredhat/process_automation7.0

Also affects: Enterprise Linux 9.0

🔴Vulnerability Details

OSV

CVE-2026-28369: A flaw was found in Undertow↗2026-03-27

▶

CVEList

Undertow: undertow: request smuggling via malformed http request headers↗2026-03-27

▶

OSV

Undertow is Vulnerable to HTTP Request/Response Smuggling↗2026-03-27

▶

GHSA

Undertow is Vulnerable to HTTP Request/Response Smuggling↗2026-03-27

▶

📋Vendor Advisories

Debian

CVE-2026-28369: undertow - A flaw was found in Undertow. When Undertow receives an HTTP request where the f...↗2026

▶

Red Hat

undertow: Undertow: Request Smuggling via Malformed HTTP Request Headers↗2025-08-27

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28369 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶