CVE-2026-28368 Overview
A critical HTTP Request Smuggling vulnerability has been identified in Red Hat Undertow, the high-performance web server that serves as the foundation for JBoss Enterprise Application Platform and numerous other Red Hat products. This flaw allows remote attackers to craft specially designed HTTP requests where header names are parsed differently by Undertow compared to upstream proxies. The discrepancy in header interpretation creates a dangerous condition that can be exploited to bypass security controls and gain unauthorized access to protected resources.
Critical Impact
Remote attackers can exploit header parsing inconsistencies to smuggle malicious requests through security controls, potentially accessing unauthorized resources without authentication.
Affected Products
- Red Hat Undertow
- Red Hat JBoss Enterprise Application Platform 7.0.0 and 8.0.0
- Red Hat Build of Apache Camel - Hawtio 4.0
- Red Hat Build of Apache Camel for Spring Boot 4.0
- Red Hat Data Grid 8.0
- Red Hat Fuse 7.0.0
- Red Hat Single Sign-On 7.0
- Red Hat Process Automation 7.0
- Red Hat JBoss Enterprise Application Platform Expansion Pack
- Red Hat Enterprise Linux 9.0
Discovery Timeline
- 2026-03-27 - CVE-2026-28368 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-28368
Vulnerability Analysis
This vulnerability is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests), commonly known as HTTP Request Smuggling. The flaw exists in Undertow's HTTP header parsing logic, which interprets certain header names differently than upstream proxies such as load balancers, reverse proxies, or API gateways.
When a client sends a crafted HTTP request through a proxy chain, the proxy and Undertow may disagree on where one request ends and the next begins. This desynchronization allows an attacker to "smuggle" a hidden request that bypasses the proxy's security inspection while being processed by the backend Undertow server.
The vulnerability enables attacks that can compromise confidentiality and integrity of data, allowing unauthorized access to protected endpoints and potential manipulation of responses to other users.
Root Cause
The root cause lies in Undertow's non-compliant or inconsistent parsing of HTTP header names compared to RFC standards and common proxy implementations. When header names contain unusual characters, whitespace, or encoding variations, Undertow may interpret these differently than the upstream proxy.
This parsing discrepancy means that a proxy might see headers as part of one request while Undertow treats them as boundaries for separate requests. The lack of strict alignment with proxy implementations creates exploitable edge cases in the request parsing pipeline.
Attack Vector
The attack is network-based and requires no authentication or user interaction, making it highly exploitable in internet-facing deployments. An attacker can exploit this vulnerability remotely by:
- Identifying a deployment where Undertow sits behind a proxy or load balancer
- Crafting HTTP requests with manipulated header names that trigger parsing discrepancies
- Embedding a secondary "smuggled" request within the body of the legitimate request
- The proxy forwards what it sees as one request, while Undertow processes it as two separate requests
The smuggled request bypasses any security controls enforced at the proxy layer, potentially allowing access to administrative endpoints, session hijacking, or cache poisoning attacks. Since this requires no privileges and can be executed anonymously over the network, environments with Undertow behind reverse proxies are particularly at risk.
Detection Methods for CVE-2026-28368
Indicators of Compromise
- Unusual HTTP responses being returned to clients that don't match their requests
- Log entries showing requests to sensitive endpoints without corresponding proxy access logs
- Evidence of cache poisoning or incorrect content being served to users
- Discrepancies between proxy request counts and backend server request counts
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block requests with malformed or suspicious header constructions
- Implement request correlation between proxy and backend logs to identify smuggled requests
- Monitor for unusual access patterns to administrative or protected endpoints
- Use anomaly detection to identify requests that bypass expected authentication flows
Monitoring Recommendations
- Enable detailed HTTP access logging on both proxy and Undertow servers for forensic analysis
- Configure alerting for requests reaching sensitive endpoints without proper authentication headers
- Monitor HTTP error rates and response time anomalies that may indicate smuggling attempts
- Review and correlate Content-Length and Transfer-Encoding header usage patterns
How to Mitigate CVE-2026-28368
Immediate Actions Required
- Review the Red Hat CVE-2026-28368 Advisory for vendor-specific guidance and patch availability
- Audit all deployments using Undertow-based products to identify affected systems
- Ensure strict HTTP parsing modes are enabled on upstream proxies where available
- Implement network segmentation to limit exposure of vulnerable Undertow instances
Patch Information
Red Hat has acknowledged this vulnerability and is tracking it via Red Hat Bugzilla Report #2443261. Organizations should monitor the Red Hat Customer Portal for official patches and errata updates for affected products including JBoss EAP, Single Sign-On, Data Grid, and other Undertow-based solutions.
Subscribe to Red Hat security announcements to receive immediate notification when patches become available for your specific product versions.
Workarounds
- Configure upstream proxies to normalize and strictly validate HTTP headers before forwarding to Undertow
- Implement HTTP/2 end-to-end where possible, as request smuggling is primarily an HTTP/1.1 concern
- Deploy additional request validation at the application layer to reject requests with suspicious header patterns
- Consider implementing a strict allowlist of expected header names and rejecting requests with non-standard headers
# Example: Configure nginx to normalize headers and reject ambiguous requests
# Add to nginx proxy configuration
# Reject requests with both Content-Length and Transfer-Encoding
if ($http_transfer_encoding ~* "chunked" ) {
set $has_te "1";
}
if ($content_length != "") {
set $has_cl "1";
}
if ($has_te$has_cl = "11") {
return 400;
}
# Normalize header handling
proxy_http_version 1.1;
proxy_set_header Connection "";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
