External risk intelligence

Undertow Request Smuggling Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-28368

A flaw in Undertow allows attackers to smuggle requests by exploiting differences in header name parsing between Undertow and upstream proxies, potentially bypassing security controls and gaining unauthorized access to resources. This vulnerability impacts external-facing web services and applications, making it import

4Halo Surface Signal

Redhat Build Of Apache Camel Hawtio

4.08.07.0.08.0.07.09.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-28368

Undertow is a web server and reverse proxy component widely used in enterprise application platforms and gateways. Request smuggling vulnerabilities in such components typically impact internet-facing web services and application stacks, which are commonly deployed to handle external traffic.

PCI scan relevance

PCI Relevance for CVE-2026-28368

Yes

CVE-2026-28368 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows request smuggling attacks, which can bypass security controls and lead to unauthorized resource access, making it relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability in Undertow could allow attackers to bypass security controls by exploiting discrepancies in how header names are interpreted between Undertow and upstream proxies, potentially leading to unauthorized access.

  • Attackers can smuggle requests to bypass security.
  • Matters for external-facing web services and applications.
  • Confirm relevance and exposure for your environment.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to a system using Undertow. The attacker crafts requests where header names are interpreted differently by Undertow than by any upstream proxy. This difference in interpretation allows the attacker to smuggle malicious requests past security controls.

  • Requires network access.
  • Crafted HTTP requests trigger parsing differences.
  • Bypasses security and accesses unauthorized resources.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow attackers to bypass security controls by exploiting differences in how Undertow and upstream proxies interpret HTTP header names. This may lead to unauthorized access to resources or sensitive information.

  • Sensitive system data and resources.
  • Maliciously crafted HTTP requests.
  • Unauthorized access to data and resources.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for application platforms, web servers, and potentially network security controls should address this vulnerability. The first practical step is to identify all instances of the affected Undertow component, confirm their exposure and business criticality, and then engage the respective owners to plan remediation.

  • Application owners and platform teams.
  • Verify external exposure and criticality.
  • Plan coordinated remediation.

Frequently asked questions

What is Undertow and where is it used?

Undertow is a lightweight, flexible web server and reverse proxy component. It serves as the underlying web engine for various Red Hat enterprise solutions, including JBoss Enterprise Application Platform, Red Hat Data Grid, and various Apache Camel integrations. It is designed for high-performance applications, often managing incoming HTTP traffic for complex enterprise software stacks.

What is the vulnerability class for CVE-2026-28368?

CVE-2026-28368 is classified as CWE-444, or HTTP Request Smuggling. This weakness occurs when different software components, such as a front-end proxy and a back-end web server like Undertow, interpret the boundaries of an HTTP request differently. By exploiting these inconsistent parsing rules, an attacker can essentially hide an extra, unauthorized request inside a legitimate one, forcing the server to process it in unintended ways.

How does an attacker trigger this issue?

An attacker triggers this vulnerability by sending a maliciously crafted HTTP request designed to cause a discrepancy between how an upstream proxy and the Undertow server parse header names. It is important to note that this bug is not triggered by standard, well-formed web traffic. It requires specifically manipulated HTTP headers that exploit the divergent interpretation logic between the two infrastructure layers.

Who should be concerned about this vulnerability?

Organizations using Undertow-based products that handle untrusted traffic should be concerned. According to Halo Surface Signal, this vulnerability is most relevant for systems that are internet-facing or positioned behind a reverse proxy, as these configurations are the primary targets for request smuggling attacks. Internal-only applications with restricted access face a lower immediate risk compared to services directly reachable from the public internet.

What are the first steps to address CVE-2026-28368?

Start by auditing your environment to identify all systems running Red Hat application platforms or services that incorporate the Undertow component. Once identified, evaluate which of these instances are internet-facing or handle sensitive data to prioritize your response. Coordinate with your platform and application engineering teams to review available security errata from your vendor and schedule the necessary updates to apply the fix.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified