Undertow DoS via multipart/form-data resource exhaustion
CVE-2026-3260 Published on March 24, 2026

Undertow: undertow: denial of service due to premature multipart/form-data parsing in get requests
A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).

NVD

Vulnerability Analysis

CVE-2026-3260 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public. 26 days later.

Weakness Type

Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.


Products Associated with CVE-2026-3260

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Camel Spring Boot
 
Red Hat Apache Camel Hawtio
 
Red Hat Jboss Data Grid
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Jboss Fuse
 
Red Hat Jboss Enterprise Application Platform
 
Red Hat Jbosseapxp
 
Red Hat Jboss Enterprise Bpms Platform
 
Red Hat Single Sign On
 

Affected Versions

Red Hat build of Apache Camel for Spring Boot 4: Red Hat build of Apache Camel - HawtIO 4: Red Hat Data Grid 8: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Fuse 7: Red Hat JBoss Enterprise Application Platform 7: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat Process Automation 7: Red Hat Single Sign-On 7: