CVE-2026-28369

CVE-2026-28369 is a vulnerability in Undertow, a Java-based web server framework. The flaw occurs when Undertow processes an HTTP request where the first header line begins with one or more leading spaces; it incorrectly strips these spaces, violating HTTP standards. This misprocessing enables HTTP request smuggling, as documented under CWE-444. The vulnerability was published on 2026-03-27 and carries a CVSS v3.1 base score of 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).

A remote attacker requires no privileges or user interaction but must achieve a high-complexity attack over the network to exploit it. Successful smuggling allows the attacker to bypass frontend security controls, access restricted information behind proxies or load balancers, or poison web caches. This can result in unauthorized actions or sensitive data exposure by interleaving malicious requests with legitimate ones.

Red Hat advisories detail mitigation strategies for affected products. Security practitioners should consult the official advisory at https://access.redhat.com/security/cve/CVE-2026-28369 and the associated Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2443262 for patch information, version-specific impacts, and remediation guidance.