CVE-2026-28367
Published: 27 March 2026
Summary
CVE-2026-28367 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Redhat Jboss Enterprise Application Platform. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the HTTP header parsing flaw in Undertow by applying vendor patches as recommended in the Red Hat advisory.
Validates HTTP request inputs, including header block terminators, to reject malformed requests like those using \r\r\r and prevent smuggling.
Enforces boundary protection at web server and proxy interfaces to filter or block request smuggling attempts exploiting inconsistent HTTP parsing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of public-facing Undertow web server via crafted HTTP headers to achieve request smuggling (CWE-444), enabling unauthorized access or request manipulation.
NVD Description
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server…
more
and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Deeper analysisAI
CVE-2026-28367 is a vulnerability in Undertow, a Java web server used in products like Red Hat JBoss. The flaw allows a remote attacker to exploit it by sending `\r\r\r` as a header block terminator, enabling HTTP request smuggling when paired with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer. This issue, published on 2026-03-27, is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests) with a CVSS v3.1 base score of 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
A remote, unauthenticated attacker can exploit this vulnerability under high attack complexity conditions to perform request smuggling attacks. By manipulating header termination, the attacker can interfere with proxy request parsing, potentially leading to unauthorized access to internal services or manipulation of web requests, resulting in high impacts to confidentiality and integrity across the security scope.
Red Hat has issued a security advisory at https://access.redhat.com/security/cve/CVE-2026-28367 and a corresponding Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2443260, which provide details on affected versions and recommended mitigations or patches for impacted products.
Details
- CWE(s)