CVE-2026-28368: Undertow is Vulnerable to HTTP Request/Response Smuggling

March 27, 2026 (updated March 31, 2026)

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.

References

access.redhat.com/security/cve/CVE-2026-28368
bugzilla.redhat.com/show_bug.cgi?id=2443261
github.com/advisories/GHSA-8v4x-mgvp-p658
github.com/undertow-io/undertow
nvd.nist.gov/vuln/detail/CVE-2026-28368

Code Behaviors & Features

Detect and mitigate CVE-2026-28368 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →