Undertow HTTP Request Smuggling Vulnerability (CVE-2026-28367)
A remote attacker can exploit CVE-2026-28367 in Undertow by sending '\r\r\r' as a header block terminator, leading to request smuggling on vulnerable proxy servers.
CVE-2026-28367 is a request smuggling vulnerability found in Undertow, a flexible performant server-side Java web server. The vulnerability arises from improper handling of HTTP header block terminators. Specifically, a remote attacker can send \r\r\r as a header block terminator, which can be misinterpreted by certain proxy servers. This allows the attacker to potentially smuggle malicious requests, bypassing security controls and gaining unauthorized access to resources or manipulating…
Detection coverage 2
Detect Undertow HTTP Request Smuggling Attempt
highDetects HTTP requests that contain '\r\r\r' in the URI, potentially indicating a request smuggling attempt targeting Undertow servers.
Detect Undertow HTTP Request Smuggling Attempt (Header)
highDetects HTTP requests that contain '\r\r\r' in the HTTP Header, potentially indicating a request smuggling attempt targeting Undertow servers.
Detection queries are kept inside the platform. Get full rules →