CVE-2026-28368
Published: 27 March 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-28368 is a vulnerability in Undertow, a Java-based web server framework. The flaw enables a remote attacker to craft requests where header names are parsed differently by Undertow compared to upstream proxies, creating a discrepancy that can be exploited for HTTP request smuggling attacks, as defined by CWE-444. Published on 2026-03-27, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
A remote attacker requires no privileges or user interaction but must overcome high attack complexity to exploit this issue. Successful attacks leverage the parsing mismatch to conduct request smuggling, potentially bypassing security controls and gaining access to unauthorized resources, with high impacts to confidentiality and integrity across a changed scope.
Mitigation details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-28368 and the related Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2443261.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in the Undertow web server framework directly enables HTTP request smuggling (CWE-444), a classic exploitation of public-facing web applications to bypass proxies and access unauthorized resources.