Cyber Resilience

CVE-2026-28369

HighUpdated

Published: 27 March 2026

Published
27 March 2026
Modified
10 June 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0068 47.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28369 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Redhat Jboss Enterprise Application Platform. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28369 is a vulnerability in Undertow, a Java-based web server framework. The flaw occurs when Undertow processes an HTTP request where the first header line begins with one or more leading spaces; it incorrectly strips these spaces, violating HTTP standards. This misprocessing enables HTTP request smuggling, as documented under CWE-444. The vulnerability was published on 2026-03-27 and carries a CVSS v3.1 base score of 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).

A remote attacker requires no privileges or user interaction but must achieve a high-complexity attack over the network to exploit it. Successful smuggling allows the attacker to bypass frontend security controls, access restricted information behind proxies or load balancers, or poison web caches. This can result in unauthorized actions or sensitive data exposure by interleaving malicious requests with legitimate ones.

Red Hat advisories detail mitigation strategies for affected products. Security practitioners should consult the official advisory at https://access.redhat.com/security/cve/CVE-2026-28369 and the associated Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2443262 for patch information, version-specific impacts, and remediation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can…

more

be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-28369 enables HTTP request smuggling in the Undertow web server framework, allowing bypass of frontend controls and cache poisoning, directly facilitating exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28368Same product: Redhat Build Of Apache Camel - Hawtio
CVE-2026-28367Same product: Redhat Build Of Apache Camel - Hawtio
CVE-2025-12543Same product: Redhat Data Grid
CVE-2026-3260Same product: Redhat Build Of Apache Camel - Hawtio
CVE-2026-32590Same vendor: Redhat
CVE-2026-3009Same product: Redhat Jboss Enterprise Application Platform
CVE-2026-9064Same product: Redhat Enterprise Linux
CVE-2026-3121Same product: Redhat Jboss Enterprise Application Platform
CVE-2026-2833Shared CWE-444
CVE-2026-33870Shared CWE-444

Affected Assets

redhat
build of apache camel - hawtio
4.0
redhat
build of apache camel for spring boot
4.0
redhat
data grid
8.0
redhat
fuse
7.0.0
redhat
jboss enterprise application platform
7.0.0, 8.0.0
redhat
jboss enterprise application platform expansion pack
all versions
redhat
process automation
7.0
redhat
single sign-on
7.0
redhat
undertow
all versions
redhat
enterprise linux
9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires applying patches for CVE-2026-28369 in Undertow to eliminate the HTTP header parsing vulnerability enabling request smuggling.

prevent

Boundary protection via web application firewalls or proxies enforces strict HTTP protocol compliance, blocking malformed requests with leading spaces that exploit the smuggling flaw.

prevent

Information input validation detects and rejects non-standard HTTP requests with leading spaces in the first header line, mitigating the parsing error in Undertow.

References