CVE-2026-28367 — HIGH (8.7)

Vulnerability Description

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

CVSS Score

8.7

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Redhat	Build Of Apache Camel - Hawtio	4.0
Redhat	Build Of Apache Camel For Spring Boot	4.0
Redhat	Data Grid	8.0
Redhat	Fuse	7.0.0
Redhat	Jboss Enterprise Application Platform	7.0.0
Redhat	Jboss Enterprise Application Platform Expansion Pack	-
Redhat	Process Automation	7.0
Redhat	Single Sign-On	7.0
Redhat	Undertow	-

Related Weaknesses (CWE)

CWE-444

References

https://access.redhat.com/security/cve/CVE-2026-28367Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2443260Issue TrackingVendor Advisory

FAQ

What is CVE-2026-28367?

CVE-2026-28367 is a vulnerability with a CVSS score of 8.7 (HIGH). A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such...

How severe is CVE-2026-28367?

CVE-2026-28367 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-28367?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Build Of Apache Camel - Hawtio, Redhat Build Of Apache Camel For Spring Boot, Redhat Data Grid, Redhat Fuse, Redhat Jboss Enterprise Application Platform.