CVE-2026-28368
DOCUMENTATION: A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.
STATEMENT: This flaw in Undertow's header parsing logic allows for request smuggling attacks when Undertow is deployed behind an upstream proxy. Crafted requests can bypass security controls by being interpreted differently by Undertow and the proxy, potentially leading to unauthorized access or cache poisoning.
MITIGATION: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://access.redhat.com/security/cve/CVE-2026-28368
Basic Information
