CVE-2026-28367: Undertow Request Smuggling Vulnerability
Platform
java
Component
apache-undertow
Fixed in
2.5.4
CVE-2026-28367 describes a request smuggling vulnerability found in Undertow. A remote attacker can exploit this flaw by sending a specific sequence as a header block terminator, potentially leading to unauthorized access or manipulation of web requests. This issue affects Undertow, and can be exploited via older Apache Traffic Server and Google Cloud Classic Application Load Balancer. No official patch is currently available.
How to fix
Actualice la biblioteca Apache Undertow a la versión 2.5.4 o superior para mitigar la vulnerabilidad de contrabando de solicitudes. Verifique las notas de la versión para obtener instrucciones de actualización específicas para su entorno. Además, asegúrese de que los servidores proxy utilizados con Undertow estén configurados correctamente para evitar el contrabando de solicitudes.
Frequently asked questions
What is CVE-2026-28367?
CVE-2026-28367 is a request smuggling vulnerability in Undertow that allows attackers to manipulate web requests by sending a specific header terminator sequence.
Am I affected by CVE-2026-28367?
You are potentially affected if you are using Undertow with certain proxy servers like older Apache Traffic Server or Google Cloud Classic Application Load Balancer.
How to fix or mitigate CVE-2026-28367?
Currently, there is no official patch available. Mitigation strategies should focus on hardening proxy server configurations to prevent request smuggling.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free