CVE-2026-28367
Description
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending rrr as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Risk Information
Base Score
8.7
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score
Exploitation Probability
0.047
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple Vulnerabilities are affected in Red Hat JBoss Enterprise Application Platform 7 7.0.0 | Windows |
| Multiple Vulnerabilities are affected in Red Hat Data Grid 8 8.0 | Windows |
| Multiple Vulnerabilities are affected in Red Hat JBoss Enterprise Application Platform 7 8.0.0 | Windows |
| Vulnerabilities CVE-2026-28367,CVE-2026-28368,CVE-2026-28369 are affected in Undertow - undertow-parent 2.3.23 | Windows |
| Vulnerabilities CVE-2026-28367,CVE-2026-28368,CVE-2026-28369 are affected in Undertow - undertow-parent for Linux 2.3.23 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234