Platform
java
Component
undertow
Fixed in
1.10.0
2.5.4
A critical vulnerability has been identified in Undertow, a Java servlet container. This flaw stems from Undertow's improper handling of HTTP header lines that begin with leading spaces. This incorrect behavior violates HTTP standards and allows a remote attacker to perform request smuggling, potentially leading to significant security breaches. Versions 1.0.0 through 2.5.3 are affected, and a patch is available in version 2.5.4.
Request smuggling is a sophisticated attack technique that exploits discrepancies in how different components of a web infrastructure (e.g., load balancers, proxies, application servers) interpret HTTP requests. By crafting malicious requests with leading spaces in the header lines, an attacker can trick Undertow into processing the request differently than expected. This can allow them to bypass authentication mechanisms, access restricted resources, or manipulate web caches. The potential impact includes unauthorized access to sensitive data, session hijacking, and even complete compromise of the web application. This vulnerability shares similarities with other request smuggling attacks that have targeted major web servers, highlighting the importance of proper HTTP header parsing.
This CVE was publicly disclosed on 2026-03-27. Currently, there are no known active campaigns exploiting this vulnerability, and no public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog. The CVSS score of 8.7 (HIGH) indicates a significant potential for exploitation if a PoC is developed and widely adopted.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28369 is to upgrade Undertow to version 2.5.4 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds. These may include configuring reverse proxies or load balancers to normalize HTTP headers by stripping leading spaces before forwarding requests to Undertow. Additionally, carefully review and restrict access to sensitive resources to minimize the potential impact of a successful attack. After upgrading, confirm the fix by sending a crafted HTTP request with leading spaces in the header line and verifying that Undertow correctly processes the request according to HTTP standards.
Update Undertow to version 2.5.4 or later to mitigate the vulnerability. This update corrects the improper handling of HTTP headers that can allow for 'request smuggling'. Refer to the official Red Hat documentation for specific update instructions for affected products.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28369 is a HIGH severity vulnerability in Undertow where leading spaces in HTTP headers are mishandled, enabling request smuggling and potential data exposure. It affects versions 1.0.0–2.5.3.
You are affected if you are using Undertow versions 1.0.0 through 2.5.3. Check your version and upgrade immediately if vulnerable.
Upgrade Undertow to version 2.5.4 or later. If immediate upgrade is not possible, implement workarounds like header normalization on reverse proxies.
As of now, there are no confirmed active exploits or public proof-of-concept code available for CVE-2026-28369.
Refer to the official Undertow project website and relevant security mailing lists for updates and advisories regarding CVE-2026-28369.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.