CVE-2026-28369: Undertow: undertow: request smuggling via malformed http request headers
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.
Other sources
When Undertow receives a request in which the first header line begins with one or more spaces, it strips them before processing the request. This is usable as a request smuggling primitive.
The HTTP RFCs state that when a field-line begins with a space or tab, it is permissible to concatenate it into the previous field-line's value. This is referred to as obs-fold in the RFCs. However, it is always invalid to obs-fold on the first line, since there is no previous field-line to concatenate into. Thus, the message should be rejected.
— Red Hat
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-28369?
CVE-2026-28369 is classified as a medium severity vulnerability.
How do I fix CVE-2026-28369?
To fix CVE-2026-28369, update your Red Hat Undertow version to the latest patch that addresses the issue.
What types of attacks can CVE-2026-28369 enable?
CVE-2026-28369 can enable HTTP request smuggling attacks due to improper handling of malformed HTTP request headers.
Which versions of Undertow are affected by CVE-2026-28369?
CVE-2026-28369 affects various versions of Red Hat Undertow, particularly those that do not handle leading spaces in header lines correctly.
Is CVE-2026-28369 easy to exploit?
Yes, CVE-2026-28369 can be exploited with minimal effort by sending specially crafted HTTP requests.