HIGH🇵🇱 Wersja polska

CVE-2026-28367

CVSS 8.7v3.1pub. 2026-03-27upd. 2026-06-29

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
  • Red Hat Build Of Apache Camel For Spring Boot

    APP
    Redhat
    4.0
  • Red Hat Build Of Apache Camel Hawtio

    APP
    Redhat
    4.0
  • Red Hat Data Grid

    APP
    Redhat
    8.0
  • Red Hat Fuse

    APP
    Redhat
    7.0.0
  • Red Hat Jboss Enterprise Application Platform

    APP
    Redhat
    7.0.08.0.0
  • Red Hat Jboss Enterprise Application Platform Expansion Pack

    APP
    Redhat
    wszystkie wersje
  • Red Hat Process Automation

    APP
    Redhat
    7.0
  • Red Hat Single Sign On

    APP
    Redhat
    7.0
  • Red Hat Undertow

    APP
    Redhat
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2017-12149CRITICAL9.8⚠ KEVten sam produkt

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the...

CVE-2016-4437CRITICAL9.8⚠ KEVten sam produkt

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows rem...

CVE-2015-1427CRITICAL9.8⚠ KEVten sam produkt

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to by...

CVE-2025-12543CRITICAL9.6PL ✓ten sam produkt

Brak walidacji nagłówka Host w serwerze Undertow HTTP

CVE-2022-4361CRITICAL10.0ten sam produkt

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerabili...