CVE-2026-28367

🗓️ 27 Mar 2026 16:13:05Reported by redhatType

Undertow vulnerability enables request smuggling via header terminator \r\r\r, risking access through proxies.

Reporter	Title	Published	Views	Family All 17
ATTACKERKB	CVE-2026-28367	27 Mar 202616:13	–	attackerkb
Circl	CVE-2026-28367	27 Mar 202619:18	–	circl
CNNVD	Undertow 环境问题漏洞	27 Mar 202600:00	–	cnnvd
Cvelist	CVE-2026-28367 Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator	27 Mar 202616:13	–	cvelist
Debian CVE	CVE-2026-28367	27 Mar 202616:13	–	debiancve
EUVD	EUVD-2026-16694	27 Mar 202618:31	–	euvd
Github Security Blog	Undertow is Vulnerable to HTTP Request/Response Smuggling	27 Mar 202618:31	–	github
NVD	CVE-2026-28367	27 Mar 202617:16	–	nvd
OSV	DEBIAN-CVE-2026-28367	27 Mar 202617:16	–	osv
OSV	GHSA-3GV6-G396-9V4R Undertow is Vulnerable to HTTP Request/Response Smuggling	27 Mar 202618:31	–	osv

NVD

Node

redhat build_of_apache_camel_-_hawtioMatch4.0

redhat build_of_apache_camel_for_spring_bootMatch4.0

redhat data_gridMatch8.0

redhat fuseMatch7.0.0

redhat jboss_enterprise_application_platformMatch7.0.0

redhat jboss_enterprise_application_platformMatch8.0.0

redhat jboss_enterprise_application_platform_expansion_packMatch-

redhat process_automationMatch7.0

redhat single_sign-onMatch7.0

redhat undertowMatch-

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Apache Camel for Spring Boot 4",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "undertow-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:camel_spring_boot:4"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Apache Camel - HawtIO 4",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "undertow-core",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:apache_camel_hawtio:4"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Data Grid 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "undertow-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_data_grid:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 10",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "moditect",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:10"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pki-core:10.6/resteasy",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "pki-deps:10.6/resteasy",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "resteasy",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Fuse 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "undertow-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_fuse:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Enterprise Application Platform 7",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "undertow-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_enterprise_application_platform:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Enterprise Application Platform 8",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "org.jberet-jberet-parent",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_enterprise_application_platform:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Enterprise Application Platform 8",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "org.jboss.eap-jboss-eap-xp",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_enterprise_application_platform:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Enterprise Application Platform 8",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "undertow-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_enterprise_application_platform:8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "org.jberet-jberet-parent",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jbosseapxp"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "org.jboss.eap-jboss-eap-xp",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jbosseapxp"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "undertow-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jbosseapxp"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Process Automation 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "undertow-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Single Sign-On 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "undertow-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:red_hat_single_sign_on:7"
    ]
  }
]

Source	Link
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/security/cve/CVE-2026-28367

10 Apr 2026 14:50Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.18.7 - 9.1

EPSS0.00049

SSVC

CWE-444