CVE-2026-3260: Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests

March 24, 2026 (updated March 27, 2026)

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).

References

access.redhat.com/security/cve/CVE-2026-3260
bugzilla.redhat.com/show_bug.cgi?id=2443010
github.com/advisories/GHSA-3x3v-w654-m28m
github.com/undertow-io/undertow
github.com/undertow-io/undertow/releases/tag/2.4.0.Beta1
nvd.nist.gov/vuln/detail/CVE-2026-3260

Code Behaviors & Features

Detect and mitigate CVE-2026-3260 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →