Home / Vulnerability Intelligence / CVE-2026-28367

CVE-2026-28367 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 30, 2026

Undertow - HTTP Request Smuggling

Published: March 27, 2026Updated: March 30, 2026Remote Exploitable

Overview

Undertow contains an HTTP request smuggling vulnerability caused by improper handling of header block terminators, letting remote attackers manipulate web requests, exploit requires sending '\r\r\r' as header terminator.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 3.6%(Probability of exploitation in next 30 days)

Impact

Remote attackers can manipulate or gain unauthorized access to web requests, potentially bypassing security controls.

Mitigation

Update to the latest version of Undertow.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 27, 2026

🟠 CVE-2026-28367 - High (8.7) A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28367/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28367
Severity: High
CVSS Score: 8.7
Type: http_request_smuggling
Status: unconfirmed
EPSS: 3.6%
Social Posts: 1

CWE

CWE-444

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Score

3.6%Probability of exploitation in the next 30 days