SecuriTricks - CVE-2026-28367

Description

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.

Product(s) Impacted

Vendor	Product	Versions
Undertow	Undertow	*
Apache	Traffic Server	*
Google	Cloud Classic Application Load Balancer	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	undertow	undertow	/	/	/	/	/	/	/	/
a	apache	traffic_server	/	/	/	/	/	/	/	/
a	google	cloud_classic_application_load_balancer	/	/	/	/	/	/	/	/

References

https://access.redhat.com/security/cve/CVE-2026-28367

https://bugzilla.redhat.com/show_bug.cgi?id=2443260

CVSS Score

8.7 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: NONE
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

View Vector String

Timeline

Published: March 27, 2026, 5:16 p.m.
Last Modified: March 27, 2026, 5:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-28367