Home / Vulnerability Intelligence / CVE-2026-28368

CVE-2026-28368 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 27, 2026

Undertow - HTTP Request Smuggling

Published: March 27, 2026Updated: March 27, 2026Remote Exploitable

Overview

Undertow contains an HTTP request smuggling vulnerability caused by inconsistent header name parsing compared to upstream proxies, letting remote attackers bypass security controls and access unauthorized resources, exploit requires crafted requests.

Severity & Score

Severity: High

CVSS Score: 8.7

Impact

Remote attackers can bypass security controls and access unauthorized resources via request smuggling.

Mitigation

Update to the latest version of Undertow.

References

https://access.redhat.com/security/cve/CVE-2026-28368
https://bugzilla.redhat.com/show_bug.cgi?id=2443261

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-28368
Severity: High
CVSS Score: 8.7
Type: http_request_smuggling
Status: new

CWE

CWE-444

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N