CVE-2026-28368
Published: 27 March 2026
Summary
CVE-2026-28368 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Redhat Jboss Enterprise Application Platform. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the flaw in Undertow's header parsing, eliminating the root cause of request smuggling attacks.
Validates and sanitizes incoming HTTP headers to reject specially crafted requests exploiting parsing discrepancies.
Enforces boundary protections via proxies and gateways that normalize requests and block smuggling attempts due to parsing mismatches.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the Undertow web server framework directly enables HTTP request smuggling (CWE-444), a classic exploitation of public-facing web applications to bypass proxies and access unauthorized resources.
NVD Description
A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request…
more
smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.
Deeper analysisAI
CVE-2026-28368 is a vulnerability in Undertow, a Java-based web server framework. The flaw enables a remote attacker to craft requests where header names are parsed differently by Undertow compared to upstream proxies, creating a discrepancy that can be exploited for HTTP request smuggling attacks, as defined by CWE-444. Published on 2026-03-27, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
A remote attacker requires no privileges or user interaction but must overcome high attack complexity to exploit this issue. Successful attacks leverage the parsing mismatch to conduct request smuggling, potentially bypassing security controls and gaining access to unauthorized resources, with high impacts to confidentiality and integrity across a changed scope.
Mitigation details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-28368 and the related Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2443261.
Details
- CWE(s)