Platform
java
Component
undertow
Fixed in
1.10.0
2.5.4
CVE-2026-28368 is a request smuggling vulnerability discovered in Undertow. This flaw allows attackers to craft malicious requests that are interpreted differently by Undertow and upstream proxies, enabling them to bypass security measures and potentially access sensitive resources. The vulnerability impacts Undertow versions 1.0.0 through 2.5.3, and a fix is available in version 2.5.4.
The core of this vulnerability lies in Undertow's inconsistent header parsing compared to common proxy servers. An attacker can leverage this difference to inject malicious requests into the request processing pipeline. This can lead to several severe consequences, including unauthorized access to protected resources, session hijacking, and potentially even remote code execution if the underlying application is vulnerable to related exploits. The attack pattern resembles classic request smuggling techniques, allowing attackers to effectively hide their malicious requests within seemingly legitimate traffic. The blast radius extends to any application relying on Undertow as its web server or servlet container, particularly those deployed behind reverse proxies.
This CVE was publicly disclosed on 2026-03-27. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 8.7 (HIGH) indicates a significant potential for exploitation. While not yet listed on CISA KEV, its severity warrants close monitoring. The vulnerability's nature aligns with well-understood request smuggling techniques, increasing the likelihood of exploitation if a suitable public proof-of-concept is released.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28368 is to upgrade to Undertow version 2.5.4 or later, which contains the fix for the header parsing discrepancy. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as carefully validating and normalizing all incoming HTTP headers at the proxy level. Deploying a Web Application Firewall (WAF) with rules specifically designed to detect and block request smuggling attempts can also provide an additional layer of defense. Monitor Undertow logs for unusual patterns or discrepancies in header processing. After upgrading, confirm the fix by sending crafted requests designed to trigger the vulnerability and verifying that they are now properly handled.
Update Undertow to version 2.5.4 or higher to mitigate the request smuggling vulnerability. Refer to the Undertow release notes for specific upgrade instructions for your environment. Ensure thorough testing after the upgrade to guarantee compatibility.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28368 is a HIGH severity vulnerability in Undertow allowing attackers to exploit header parsing differences for request smuggling, potentially bypassing security controls.
You are affected if you are using Undertow versions 1.0.0 through 2.5.3. Upgrade to 2.5.4 or later to mitigate the risk.
Upgrade to Undertow version 2.5.4 or later. As a temporary workaround, validate and normalize incoming HTTP headers at the proxy level.
Currently, there are no known active campaigns exploiting CVE-2026-28368, but its severity and the potential for exploitation warrant vigilance.
Refer to the official Undertow project website and relevant security mailing lists for the latest advisory and updates regarding CVE-2026-28368.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.