PatchSiren cyber security CVE debrief

CVE-2026-28368 Red Hat CVE debrief

A request smuggling vulnerability in Undertow allows remote attackers to exploit header parsing discrepancies between Undertow and upstream proxies. The flaw, published 2026-03-27 and modified 2026-06-10, enables crafted requests with header names that are interpreted differently by Undertow versus intermediary proxies. This can bypass security controls and grant unauthorized resource access. CVSS 8.7 (HIGH). Affected Red Hat products include JBoss Enterprise Application Platform 7.x/8.x, Undertow, Red Hat Data Grid 8.0, Fuse 7.0.0, Process Automation 7.0, Single Sign-On 7.0, Build of Apache Camel/Hawtio 4.0, Build of Apache Camel for Spring Boot 4.0, JBoss EAP Expansion Pack, and Red Hat Enterprise Linux 9.0. CWE-444 (HTTP Request/Response Smuggling). No KEV listing. Red Hat has issued advisories RHSA-2026:25125 and RHSA-2026:25126.

Vendor: Red Hat
Product: JBoss Enterprise Application Platform
CVSS: HIGH 8.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-03-27
Original CVE updated: 2026-06-10
Advisory published: 2026-03-27
Advisory updated: 2026-06-10

Who should care

Organizations running Red Hat JBoss EAP, Undertow, or related middleware products behind reverse proxies or load balancers. Security teams responsible for web application firewall tuning, proxy configuration, and HTTP request handling consistency. Infrastructure operators using affected Red Hat Enterprise Linux 9.0 deployments with vulnerable Undertow components.

Technical summary

Undertow's parsing of HTTP header names diverges from upstream proxies, creating a request smuggling vector. An attacker sends crafted requests where header name interpretation differs between the proxy and Undertow, causing the proxy and server to disagree on request boundaries. With CVSS 8.7 (HIGH), scope changed (S:C), and high impact to confidentiality and integrity (C:H/I:H), successful exploitation bypasses security controls and accesses unauthorized resources. Attack complexity is high (AC:H), requiring no privileges or user interaction (PR:N/UI:N). Affected platforms span JBoss EAP 7/8, Data Grid, Fuse, SSO, and RHEL 9.0. Red Hat has addressed this through RHSA-2026:25125 and RHSA-2026:25126.

Defensive priority

HIGH

Recommended defensive actions

Apply Red Hat security advisories RHSA-2026:25125 and RHSA-2026:25126 as applicable to affected products.
Review proxy and load balancer configurations for consistent header parsing behavior with backend Undertow servers.
Implement request smuggling defenses at the proxy layer, including strict header validation and rejecting ambiguous requests.
Monitor for anomalous HTTP traffic patterns indicative of request smuggling attempts, such as unexpected method or path mutations.
Validate that security controls (WAF, authentication gates) inspect the same request boundaries as the origin server.

Evidence notes

CVE description confirms header parsing discrepancy enabling request smuggling. NVD CPE data lists affected Red Hat products. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. Red Hat Bugzilla 2443261 and RHSA-2026:25125/25126 provide vendor tracking and remediation. CWE-444 assigned by Red Hat.

Official resources

CVE-2026-28368 CVE record
CVE.org
CVE-2026-28368 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory

2026-03-27