Fedora Account System
Red Hat Associate
Red Hat Customer
Undertow splits header names from values on either space or colon, whichever comes first. This allows for the construction of crafted requests with headers that are visible only to Undertow, but not upstream proxies, which can be used to launch request smuggling attacks.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.1 Via RHSA-2026:25126 https://access.redhat.com/errata/RHSA-2026:25126
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9 Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8 Via RHSA-2026:25125 https://access.redhat.com/errata/RHSA-2026:25125