HIGHCVE-2026-28367Published Modified CNA redhat
CVE-2026-28367: Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Metrics
- CVSS v3.1
- 8.7
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 17
Affected packages
- Red Hat / Red Hat build of Apache Camel for Spring Boot 4
- Red Hat / Red Hat build of Apache Camel - HawtIO 4
- Red Hat / Red Hat Data Grid 8
- Red Hat / Red Hat Enterprise Linux 10
- Red Hat / Red Hat Enterprise Linux 8
- Red Hat / Red Hat Enterprise Linux 8
- Red Hat / Red Hat Enterprise Linux 9
- Red Hat / Red Hat Fuse 7
- Red Hat / Red Hat JBoss Enterprise Application Platform 7
- Red Hat / Red Hat JBoss Enterprise Application Platform 8
- Red Hat / Red Hat JBoss Enterprise Application Platform 8
- Red Hat / Red Hat JBoss Enterprise Application Platform 8
- Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack
- Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack
- Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack
- Red Hat / Red Hat Process Automation 7
- Red Hat / Red Hat Single Sign-On 7
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:NReferences