Home / Vulnerability Intelligence / CVE-2026-28369

CVE-2026-28369 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 30, 2026

Undertow - HTTP Request Smuggling

Published: March 27, 2026Updated: March 30, 2026Remote Exploitable

Overview

Undertow contains an HTTP request smuggling vulnerability caused by incorrect processing of header lines starting with spaces, letting remote attackers bypass security and manipulate requests, exploit requires crafted HTTP requests.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 12.9%(Probability of exploitation in next 30 days)

Impact

Remote attackers can bypass security controls, access restricted data, or manipulate web caches, leading to unauthorized actions or data exposure.

Mitigation

Update to the latest version of Undertow.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 27, 2026

🟠 CVE-2026-28369 - High (8.7) A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28369/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28369
Severity: High
CVSS Score: 8.7
Type: http_request_smuggling
Status: unconfirmed
EPSS: 12.9%
Social Posts: 1

CWE

CWE-444

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Score

12.9%Probability of exploitation in the next 30 days