CVE-2026-3260

CWE-770 — Allocation without Limits8 documents7 sources

Severity

7.5HIGH

EPSS

0.6%

top 31.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Build OF Apache Camel - Hawtio Redhat Build OF Apache Camel FOR Spring Boot Redhat Data Grid +5 more

Timeline

PublishedMar 24

Description

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages8 packages

▶NVDredhat/jboss_enterprise_application_platform7.0.0, 8.0.0+1

▶Mavenio.undertow:undertow-core< 2.4.0.Beta1

▶NVDredhat/data_grid8.0

▶NVDredhat/fuse7.0.0

▶NVDredhat/single_sign-on7.0

Also affects: Enterprise Linux 10.0, 8.0, 9.0

🔴Vulnerability Details

OSV

Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests↗2026-03-24

▶

OSV

CVE-2026-3260: A flaw was found in Undertow↗2026-03-24

▶

CVEList

Undertow: undertow: denial of service due to premature multipart/form-data parsing in get requests↗2026-03-24

▶

GHSA

Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests↗2026-03-24

▶

📋Vendor Advisories

Red Hat

undertow: Undertow: Denial of Service due to premature multipart/form-data parsing in GET requests↗2026-03-24

▶

Debian

CVE-2026-3260: undertow - A flaw was found in Undertow. A remote attacker could exploit this vulnerability...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-3260 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶