CVE-2026-28368 HIGH

CVE-2026-28368: Undertow: undertow: request smuggling via inconsistent header parsing

Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform 8.1
Weakness CWE-444
Published March 27, 2026
Last update June 10, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
June 10, 2026 Record updated