CVE-2026-28368 — Undertow is Vulnerable to HTTP Request/Response Smuggling

Description

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.

How to fix CVE-2026-28368

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2026-28368 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, <= 2.3.23.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-28368
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-28368
PATCHgithub.com/undertow-io/undertow
WEBaccess.redhat.com/errata/RHSA-2026:25125
WEB