Undertow Request Smuggling via CRCRCR Header Terminator (CVE202628367)
CVE-2026-28367 Published on March 27, 2026
Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Vulnerability Analysis
CVE-2026-28367 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
What is a HTTP Request Smuggling Vulnerability?
When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.
CVE-2026-28367 has been classified to as a HTTP Request Smuggling vulnerability or weakness.
Products Associated with CVE-2026-28367
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
