Bug 2443262 (CVE-2026-28369)

Summary: CVE-2026-28369 undertow: Undertow: Request Smuggling via Malformed HTTP Request Headers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abrianik, aschwart, asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, bstansbe, darran.lofthouse, dhanak, dlofthou, dosoudil, drosa, fjuma, fmariani, ggrzybek, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jrokos, kverlaen, mnovotny, mosmerov, mposolda, msvehla, nwallace, parichar, pberan, pdelbell, pesilva, pjindal, pmackay, rmartinc, rstancel, rstepani, sausingh, security-response-team, smaestri, ssilvert, sthorger, tasato, tcunning, thjenkin, tom.jenkinson, vdosoudi, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-27 04:44:52 UTC 
When Undertow receives a request in which the first header line begins
with one or more spaces, it strips them before processing the request.
This is usable as a request smuggling primitive.

The HTTP RFCs state that when a field-line begins with a space or tab,
it is permissible to concatenate it into the previous field-line's
value. This is referred to as `obs-fold` in the RFCs. However, it is
always invalid to obs-fold on the first line, since there is no
previous field-line to concatenate into. Thus, the message should be
rejected.