CVE-2026-28369
Published: 27 March 2026
Summary
CVE-2026-28369 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Redhat Jboss Enterprise Application Platform. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation requires applying patches for CVE-2026-28369 in Undertow to eliminate the HTTP header parsing vulnerability enabling request smuggling.
Boundary protection via web application firewalls or proxies enforces strict HTTP protocol compliance, blocking malformed requests with leading spaces that exploit the smuggling flaw.
Information input validation detects and rejects non-standard HTTP requests with leading spaces in the first header line, mitigating the parsing error in Undertow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-28369 enables HTTP request smuggling in the Undertow web server framework, allowing bypass of frontend controls and cache poisoning, directly facilitating exploitation of public-facing applications.
NVD Description
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can…
more
be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.
Deeper analysisAI
CVE-2026-28369 is a vulnerability in Undertow, a Java-based web server framework. The flaw occurs when Undertow processes an HTTP request where the first header line begins with one or more leading spaces; it incorrectly strips these spaces, violating HTTP standards. This misprocessing enables HTTP request smuggling, as documented under CWE-444. The vulnerability was published on 2026-03-27 and carries a CVSS v3.1 base score of 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
A remote attacker requires no privileges or user interaction but must achieve a high-complexity attack over the network to exploit it. Successful smuggling allows the attacker to bypass frontend security controls, access restricted information behind proxies or load balancers, or poison web caches. This can result in unauthorized actions or sensitive data exposure by interleaving malicious requests with legitimate ones.
Red Hat advisories detail mitigation strategies for affected products. Security practitioners should consult the official advisory at https://access.redhat.com/security/cve/CVE-2026-28369 and the associated Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2443262 for patch information, version-specific impacts, and remediation guidance.
Details
- CWE(s)