CVE-2026-28299 Overview
CVE-2026-28299 is a denial-of-service vulnerability affecting SolarWinds Web Help Desk (WHD). An unauthenticated attacker can send crafted network requests that consume excessive server memory. The condition exhausts available heap resources and crashes the Web Help Desk server process. The flaw maps to [CWE-770] (Allocation of Resources Without Limits or Throttling).
The vulnerability requires no authentication or user interaction and is exploitable over the network. SolarWinds addressed the issue in Web Help Desk 2026.2. Refer to the SolarWinds Security Advisory CVE-2026-28299 for vendor guidance.
Critical Impact
Unauthenticated attackers can crash the Web Help Desk server remotely, disrupting IT service management workflows and ticketing operations for all users.
Affected Products
- SolarWinds Web Help Desk versions prior to 2026.2
- On-premises Web Help Desk deployments exposed to untrusted networks
- Java-based WHD server instances handling HTTP request processing
Discovery Timeline
- 2026-06-02 - CVE-2026-28299 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-28299
Vulnerability Analysis
The vulnerability is a resource exhaustion flaw classified under [CWE-770]. Web Help Desk fails to enforce limits on memory allocation when processing specific network requests. An attacker sends crafted input that forces the server to allocate large memory regions without bound. The Java Virtual Machine eventually throws an OutOfMemoryError, terminating the WHD service.
Because the attack vector is network-based and requires no privileges, any client able to reach the WHD listening port can trigger the condition. Restoring service requires restarting the server process, and repeated exploitation produces sustained outages. The impact is confined to availability, with limited integrity impact and no confidentiality loss.
Root Cause
The root cause is missing input size validation and absent resource throttling in request handling logic. The application accepts inputs that drive unbounded internal buffers or object graphs. Without rate limits, request size caps, or memory ceilings, the JVM heap is consumed until allocation fails.
Attack Vector
An attacker sends a malicious HTTP or HTTPS request to the Web Help Desk listener. The request triggers expensive allocation paths inside the WHD application code. No authentication cookie, session token, or user interaction is needed. Repeated requests amplify the effect, producing prolonged denial-of-service conditions for legitimate help desk operators and ticket submitters.
No public proof-of-concept code is available at this time. See the SolarWinds WHD 2026.2 Release Notes for vendor-supplied technical context.
Detection Methods for CVE-2026-28299
Indicators of Compromise
- Web Help Desk service crashes accompanied by java.lang.OutOfMemoryError entries in whd.log or catalina.out
- Sudden spikes in JVM heap usage on the WHD host prior to process termination
- Repeated unauthenticated HTTP requests to WHD endpoints from a single source IP
- Tomcat or WHD worker threads stalling or terminating without graceful shutdown messages
Detection Strategies
- Monitor WHD application logs for unhandled memory allocation exceptions and abnormal restarts
- Inspect HTTP access logs for unusually large request bodies or repeated requests targeting the same endpoint
- Correlate server crash events with network telemetry to identify the originating source
Monitoring Recommendations
- Configure JVM heap and garbage collection metrics in your APM or infrastructure monitoring stack
- Alert on Web Help Desk service restarts and Tomcat worker thread exhaustion
- Forward WHD and operating system logs to a centralized SIEM for correlation with network flow data
- Track request rate and payload size distributions on the WHD listener to detect anomalies
How to Mitigate CVE-2026-28299
Immediate Actions Required
- Upgrade SolarWinds Web Help Desk to version 2026.2 or later as documented in the vendor advisory
- Restrict network access to the WHD management interface using firewall rules or VPN-only access
- Place a reverse proxy or web application firewall in front of WHD to enforce request size and rate limits
- Review WHD logs for prior crash events and confirm whether opportunistic exploitation has occurred
Patch Information
SolarWinds has released a fixed version in Web Help Desk 2026.2. Apply the upgrade following the SolarWinds WHD 2026.2 Release Notes. Validate the upgrade in a staging environment, take a database backup, and follow vendor-documented procedures before patching production instances.
Workarounds
- Limit WHD exposure to trusted internal networks until the patch is applied
- Configure upstream proxies to cap HTTP request body size and enforce per-source rate limits
- Increase JVM heap headroom temporarily to delay exhaustion, while recognizing this is not a fix
- Implement automated service restart and alerting to reduce outage duration during exploitation attempts
# Example reverse proxy mitigation (NGINX) limiting body size and request rate
http {
limit_req_zone $binary_remote_addr zone=whd_rl:10m rate=10r/s;
server {
listen 443 ssl;
server_name whd.example.com;
client_max_body_size 1m;
limit_req zone=whd_rl burst=20 nodelay;
location / {
proxy_pass https://whd-backend:8443;
proxy_read_timeout 30s;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
