Platform
java
Component
apache-undertow
Fixed in
1.10.0
2.5.4
A critical vulnerability has been identified in Apache Undertow, a Java servlet container. This flaw allows a remote attacker to exploit a header block terminator issue by sending \r\r\r, potentially enabling request smuggling attacks. This is particularly concerning when Undertow is deployed behind proxy servers such as older versions of Apache Traffic Server or Google Cloud Classic Application Load Balancer, as it can lead to unauthorized access or manipulation of web requests. Affected versions include 1.0.0 through 2.5.3; a fix is available in version 2.5.4.
The core of this vulnerability lies in Undertow's handling of header block terminators. By injecting \r\r\r into a header, an attacker can trick Undertow into prematurely ending the header section of a request. This can be exploited in conjunction with proxy servers that don't properly normalize or validate headers. The resulting request smuggling allows an attacker to craft malicious requests that are interpreted differently by the proxy and Undertow, potentially bypassing security controls. For example, an attacker could inject a seemingly innocuous request that, when processed by the proxy, is interpreted as a request to access sensitive data or execute unauthorized commands. The blast radius extends to any downstream systems accessible through the proxy, as the smuggled request can be used to target those systems directly.
This vulnerability is considered high probability due to its relatively simple exploitation mechanism and the widespread use of Undertow in conjunction with proxy servers. While no public exploits have been released at the time of writing, the ease of exploitation makes it a likely target for attackers. The vulnerability was publicly disclosed on March 27, 2026. It is not currently listed on CISA KEV, but its potential impact warrants close monitoring. The request smuggling aspect shares similarities with vulnerabilities seen in other web servers, highlighting the importance of robust header handling.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28367 is to upgrade to Apache Undertow version 2.5.4 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to configure the proxy server to strictly enforce header normalization and validation, preventing the injection of malformed header terminators. Another workaround involves implementing a WAF (Web Application Firewall) rule to detect and block requests containing the suspicious \r\r\r sequence in headers. Monitor Undertow access logs for unusual patterns or unexpected requests that might indicate exploitation attempts. After upgrading, confirm the fix by sending a test request with the malicious header sequence and verifying that it is properly rejected.
Update to version 2.5.4 or higher to mitigate the request smuggling vulnerability. This update corrects how Undertow handles header block terminators, preventing exploitation through ` ` sequences.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28367 is a HIGH severity vulnerability in Apache Undertow versions 1.0.0–2.5.3 that allows remote attackers to exploit a header block terminator issue, potentially enabling request smuggling.
If you are using Apache Undertow versions 1.0.0 through 2.5.3 and are behind a proxy server like Apache Traffic Server or Google Cloud Classic Application Load Balancer, you are potentially affected.
Upgrade to Apache Undertow version 2.5.4 or later. As a temporary workaround, configure your proxy server to strictly enforce header normalization or implement a WAF rule to block malicious headers.
While no public exploits have been released, the vulnerability's ease of exploitation makes it a likely target for attackers, so proactive mitigation is recommended.
Refer to the Apache Security page for the latest information and advisory regarding CVE-2026-28367: [https://security.apache.org/](https://security.apache.org/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.