CVE-2026-28367

Summary

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending \r\r\r as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:2.40.0-7.redhat_00015.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:801.6.1-1.GA_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:2.3.24-3.SP2_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 80:8.1.6-7.GA_redhat_00010.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:2.40.0-7.redhat_00015.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:801.6.1-1.GA_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:2.3.24-3.SP2_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.1 for RHEL 90:8.1.6-7.GA_redhat_00010.1.el9eap < *unaffected

Weaknesses

  • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Workarounds

To mitigate this vulnerability, configure any proxy servers positioned in front of Undertow to strictly validate HTTP header terminations. Ensure that these proxies are configured to reject or normalize non-standard header block terminators, such as \r\r\r, before forwarding requests to Undertow. This operational control helps prevent request smuggling attacks by ensuring that only properly formed HTTP requests reach the Undertow server.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References