Fabre

#1134952 undertow: CVE-2026-28369 #1134952

Package:: src:undertow

Source:: src:undertow

Submitter:: Moritz Mühlenhoff

Date:: 2026-04-26 11:53:02 UTC

Severity:: normal

Tags:

#1134952#5

Date:: 2026-04-26 11:16:44 UTC

From:

To:

Hi,

The following vulnerability was published for undertow.

CVE-2026-28369[0]:
| A flaw was found in Undertow. When Undertow receives an HTTP request
| where the first header line starts with one or more spaces, it
| incorrectly processes the request by stripping these leading spaces.
| This behavior, which violates HTTP standards, can be exploited by a
| remote attacker to perform request smuggling. Request smuggling
| allows an attacker to bypass security mechanisms, access restricted
| information, or manipulate web caches, potentially leading to
| unauthorized actions or data exposure.

https://bugzilla.redhat.com/show_bug.cgi?id=2443262


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-28369
https://www.cve.org/CVERecord?id=CVE-2026-28369

Please adjust the affected versions in the BTS as needed.

#1134952 undertow: CVE-2026-28369 #1134952

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)