CVE-2026-28367
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Summary
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending \r\r\r as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:2.40.0-7.redhat_00015.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:801.6.1-1.GA_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:2.3.24-3.SP2_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 | 0:8.1.6-7.GA_redhat_00010.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:2.40.0-7.redhat_00015.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:801.6.1-1.GA_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:2.3.24-3.SP2_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 | 0:8.1.6-7.GA_redhat_00010.1.el9eap < * | unaffected |
Weaknesses
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Workarounds
To mitigate this vulnerability, configure any proxy servers positioned in front of Undertow to strictly validate HTTP header terminations. Ensure that these proxies are configured to reject or normalize non-standard header block terminators, such as \r\r\r, before forwarding requests to Undertow. This operational control helps prevent request smuggling attacks by ensuring that only properly formed HTTP requests reach the Undertow server.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://access.redhat.com/errata/RHSA-2026:25125
- https://access.redhat.com/errata/RHSA-2026:25126
- https://access.redhat.com/security/cve/CVE-2026-28367
- https://bugzilla.redhat.com/show_bug.cgi?id=2443260
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.