PatchSiren cyber security CVE debrief

CVE-2026-28369 Red Hat CVE debrief

A request smuggling vulnerability in Undertow allows remote attackers to bypass security controls by sending HTTP requests with leading spaces in the first header line. Undertow incorrectly strips these spaces, violating HTTP standards and enabling request smuggling attacks that can lead to cache poisoning, unauthorized access, or data exposure.

Vendor: Red Hat
Product: JBoss Enterprise Application Platform
CVSS: HIGH 8.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-03-27
Original CVE updated: 2026-06-10
Advisory published: 2026-03-27
Advisory updated: 2026-06-10

Who should care

Organizations running Red Hat JBoss Enterprise Application Platform 7.x or 8.x, Red Hat Data Grid, Red Hat Fuse, Red Hat Single Sign-On, or other products embedding Undertow. Security teams operating layered HTTP architectures with WAFs, load balancers, or reverse proxies in front of Undertow-based applications. Teams responsible for web cache integrity and HTTP request normalization policies.

Technical summary

Undertow's HTTP parser fails to properly reject requests where the first header line begins with one or more leading spaces. Instead of rejecting the malformed request per RFC standards, Undertow strips the spaces and continues processing. This discrepancy between Undertow and compliant HTTP parsers enables request smuggling: an attacker can craft a request that is interpreted as one request by a front-end component (such as a WAF or load balancer) and as multiple requests by Undertow on the back end. The vulnerability has a CVSS 3.1 score of 8.7 (HIGH) with attack vector network, high attack complexity, no privileges required, no user interaction, and changed scope with high impact to confidentiality and integrity.

Defensive priority

HIGH

Recommended defensive actions

Apply Red Hat security advisories RHSA-2026:25125 and RHSA-2026:25126 as applicable to your environment.
Review and update WAF, load balancer, and reverse proxy configurations to normalize or reject HTTP requests with leading spaces in the request line.
Monitor HTTP traffic for anomalous requests containing leading spaces before method names, which may indicate smuggling attempts.
Ensure all upstream and downstream HTTP parsers enforce strict RFC compliance and reject requests with leading whitespace in the start line.
Validate that caching infrastructure is not susceptible to cache poisoning via request smuggling vectors.

Evidence notes

CVE published 2026-03-27; modified 2026-06-10. Red Hat has issued security advisories RHSA-2026:25125 and RHSA-2026:25126. The vulnerability is tracked in Red Hat Bugzilla 2443262. CVSS 3.1 vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. CWE-444 (HTTP Request/Response Smuggling). Affected products include Red Hat JBoss Enterprise Application Platform 7.x and 8.x, Red Hat Data Grid 8.0, Red Hat Fuse 7.0.0, Red Hat Single Sign-On 7.0, Red Hat Process Automation 7.0, Red Hat Build of Apache Camel 4.0, and Red Hat Enterprise Linux 9.0.

Official resources

CVE-2026-28369 CVE record
CVE.org
CVE-2026-28369 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory

Public