External risk intelligence

Undertow Request Smuggling Vulnerability via Header Terminator

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-28367

A vulnerability in Undertow allows for request smuggling by sending specific header terminators, potentially leading to unauthorized access or manipulation of web requests when used with certain proxy servers.

5Halo Surface Signal

Redhat Build Of Apache Camel Hawtio

4.08.07.0.08.0.07.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-28367

The vulnerability exists in Undertow, a widely used web server/framework component often deployed at the network edge as a gateway or web server. Because the flaw involves request smuggling in conjunction with proxy servers and load balancers, it inherently targets components that are public-facing by design to facilitate web traffic and request handling.

PCI scan relevance

PCI Relevance for CVE-2026-28367

Yes

CVE-2026-28367 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE is relevant to PCI scans as it enables request smuggling, which can lead to unauthorized access or manipulation of web requests. This type of vulnerability is considered an automatic fail by ASV scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in the Undertow web server component, which could allow for unauthorized access or manipulation of web requests through a technique called request smuggling. This issue arises from how specific header terminators are processed, potentially enabling malicious actors to bypass security controls when certain proxy servers or load balancers are in use. The main concern is confirming relevance and exposure.

Undertow flaw allows request smuggling.
Critical for network-facing web components.
Confirm exposure in proxy environments.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted header blocks to a web server that uses Undertow. This attack works when the server communicates with certain proxy servers or load balancers, enabling the attacker to "smuggle" malicious requests past legitimate traffic. This could result in the attacker gaining unauthorized access to sensitive information or the ability to manipulate requests made by other users.

Requires network access.
Triggered by sending specific header terminators.
Risk of unauthorized access and request manipulation.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to perform request smuggling, which might lead to unauthorized access or modification of web requests when specific proxy servers are in use.

Web requests and server responses.
Via specially crafted header blocks.
Unauthorized access or request manipulation.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability, exploitable via request smuggling, likely impacts teams responsible for managing public-facing web applications and their underlying infrastructure. The first practical step is to identify all instances of the affected Undertow component and any integrated proxy or load balancing solutions, confirm their exposure and criticality, and then determine the accountable application or platform owner to plan remediation.

Identify affected systems and owners.
Verify exposure and business criticality.
Coordinate vendor updates and deploy fixes.

Frequently asked questions

What is Undertow and where is it used?

Undertow is a flexible, high-performance web server component frequently used in Java-based infrastructure. It serves as the underlying web engine for many Red Hat products, including JBoss Enterprise Application Platform, Data Grid, and various integration platforms like Fuse and Camel. Because it handles the fundamental task of processing web requests, it is often found powering the entry points of enterprise applications and service gateways.

What does CVE-2026-28367 mean for request handling?

This vulnerability is classified as CWE-444, or HTTP Request Smuggling. It occurs when a web server and a front-end proxy disagree on where a request ends. In this case, an attacker can use a specific sequence of characters in a header terminator to confuse the systems. This misalignment allows the attacker to inject their own hidden requests into the stream, which the back-end system might mistakenly process as part of a legitimate user's session.

How does an attacker trigger this vulnerability?

An attacker triggers this flaw by sending a specifically crafted HTTP request containing multiple carriage return characters to represent the header block terminator. It is important to note that the vulnerability does not manifest in isolation; it requires a specific interaction between Undertow and certain proxy servers or load balancers, such as older versions of Apache Traffic Server or specific Google Cloud configurations, to succeed.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal notes that this vulnerability is highly relevant for network-facing components. Because the request smuggling technique depends on a chain involving proxy servers and load balancers to reach the internal application, systems exposed directly to the internet are the primary concern. If your deployment uses Undertow as a gateway or edge server to handle external web traffic, it is considered a high-priority area for review.

What should I do first to address this?

Begin by auditing your infrastructure to map where Undertow is deployed and, crucially, which proxy servers or load balancers sit in front of those instances. Since this is an architectural issue, you must confirm both the software version and the specific network configuration. Once you have identified these combinations, prioritize reaching out to the owners of these applications to coordinate the deployment of vendor-provided security updates.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.