9.1
CVE-2026-28369
- EPSS 0.05%
- Veröffentlicht 27.03.2026 16:13:05
- Zuletzt bearbeitet 31.03.2026 18:08:21
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Undertow: undertow: request smuggling via malformed http request headers
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Build Of Apache Camel - Hawtio Version4.0
Redhat ≫ Build Of Apache Camel For Spring Boot Version4.0
Redhat ≫ Jboss Enterprise Application Platform Version7.0.0
Redhat ≫ Jboss Enterprise Application Platform Version8.0.0
Redhat ≫ Process Automation Version7.0
Redhat ≫ Single Sign-on Version7.0
Redhat ≫ Enterprise Linux Version9.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.14 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
| secalert@redhat.com | 8.7 | 2.2 | 5.8 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
|
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.