CVE-2026-28368: Undertow Request Smuggling Vulnerability
Platform
java
Component
undertow
Fixed in
2.5.4
CVE-2026-28368 describes a request smuggling vulnerability within the Undertow application server. This flaw allows a remote attacker to craft requests with header names that are parsed differently by Undertow compared to upstream proxies, potentially bypassing security controls and accessing unauthorized resources. The affected component is Undertow. No official patch is currently available.
How to fix
Actualice Undertow a la versión 2.5.4 o superior para mitigar la vulnerabilidad de contrabando de solicitudes. Verifique las notas de la versión para obtener instrucciones de actualización específicas para su entorno. Asegúrese de que la configuración de Undertow sea compatible con las configuraciones de los proxies ascendentes para evitar discrepancias en el análisis de encabezados.
Frequently asked questions
What is CVE-2026-28368?
CVE-2026-28368 is a request smuggling vulnerability in Undertow. It allows attackers to craft requests that are interpreted differently by Undertow and upstream proxies, potentially bypassing security measures.
Am I affected by CVE-2026-28368?
You are potentially affected if you are using Undertow as your application server. The vulnerability allows for request smuggling, which can lead to unauthorized access and security breaches.
How can I fix or mitigate CVE-2026-28368?
Currently, there is no official patch available. Mitigation strategies may include carefully configuring upstream proxies and implementing robust input validation to prevent request smuggling attacks.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free