Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10533

undertow-core is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')CVE-2026-28368 Published Apr 24, 2026

87

High Risk

This Affects:

JAVAundertow-core
0.0.1 - 2.3.24.Final
Are you affected? Scan for Free

TL;DR

A flaw was found in Undertow where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy allows a remote attacker to construct specially crafted requests that exploit inconsistent header interpretation, potentially bypassing security controls, causing web cache poisoning, and launching HTTP request smuggling attacks.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

undertow-core is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in versions 0.0.1 - 2.3.24.Final.

How to fix this

There is no fix available yet, but there are PRs ready to merge and the fix will probably be released in version 2.4.0.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done