Cyber Resilience

CVE-2026-28368

HighUpdated

Published: 27 March 2026

Published
27 March 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0070 48.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28368 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Redhat Jboss Enterprise Application Platform. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28368 is a vulnerability in Undertow, a Java-based web server framework. The flaw enables a remote attacker to craft requests where header names are parsed differently by Undertow compared to upstream proxies, creating a discrepancy that can be exploited for HTTP request smuggling attacks, as defined by CWE-444. Published on 2026-03-27, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).

A remote attacker requires no privileges or user interaction but must overcome high attack complexity to exploit this issue. Successful attacks leverage the parsing mismatch to conduct request smuggling, potentially bypassing security controls and gaining access to unauthorized resources, with high impacts to confidentiality and integrity across a changed scope.

Mitigation details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-28368 and the related Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2443261.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request…

more

smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability in the Undertow web server framework directly enables HTTP request smuggling (CWE-444), a classic exploitation of public-facing web applications to bypass proxies and access unauthorized resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28369Same product: Redhat Build Of Apache Camel - Hawtio
CVE-2026-28367Same product: Redhat Build Of Apache Camel - Hawtio
CVE-2025-12543Same product: Redhat Data Grid
CVE-2026-3260Same product: Redhat Build Of Apache Camel - Hawtio
CVE-2026-32590Same vendor: Redhat
CVE-2026-3009Same product: Redhat Jboss Enterprise Application Platform
CVE-2026-9064Same product: Redhat Enterprise Linux
CVE-2026-3121Same product: Redhat Jboss Enterprise Application Platform
CVE-2026-2833Shared CWE-444
CVE-2026-33870Shared CWE-444

Affected Assets

redhat
build of apache camel - hawtio
4.0
redhat
build of apache camel for spring boot
4.0
redhat
data grid
8.0
redhat
fuse
7.0.0
redhat
jboss enterprise application platform
7.0.0, 8.0.0
redhat
jboss enterprise application platform expansion pack
all versions
redhat
process automation
7.0
redhat
single sign-on
7.0
redhat
undertow
all versions
redhat
enterprise linux
9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the flaw in Undertow's header parsing, eliminating the root cause of request smuggling attacks.

prevent

Validates and sanitizes incoming HTTP headers to reject specially crafted requests exploiting parsing discrepancies.

prevent

Enforces boundary protections via proxies and gateways that normalize requests and block smuggling attempts due to parsing mismatches.

References