Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

CVE-2026-28367

Summary

CVE-2026-28367 is an Undertow request smuggling vulnerability involving a non-standard HTTP header block terminator. Red Hat describes the condition as a remote attacker sending a malformed header terminator that can be interpreted differently by certain upstream proxies and Undertow.

Red Hat rates the issue as Important with CVSS 3.1 score 8.7, using high attack complexity because exploitation depends on a compatible proxy/backend parsing mismatch. NVD also lists a 9.1 Critical score, but the Red Hat CNA score better reflects the deployment prerequisite.

light-4j Applicability

light-4j uses Undertow through io.undertow:undertow-core, so dependency scanners can report this CVE for light-4j applications.

The issue is not directly exploitable in every light-4j deployment. It requires an HTTP/1.1 request path where an upstream proxy accepts and forwards a malformed header block terminator, and Undertow interprets the forwarded bytes differently. Red Hat specifically names older Apache Traffic Server versions and Google Cloud Classic Application Load Balancer configurations as examples of proxy environments where this class of issue can matter.

The finding is not applicable, or is not exploitable, when:

  • The light-4j service is not behind an affected HTTP/1.1 proxy or load balancer.
  • The client-facing edge rejects malformed HTTP/1.1 requests before they reach Undertow.
  • The deployment uses HTTPS and HTTP/2 end to end, without translating malformed HTTP/1.1 traffic into the Undertow origin hop.
  • The light-4j service is reachable only through trusted internal traffic controls that enforce strict HTTP request validation.

Mitigation

For exposed services, configure the upstream proxy, load balancer, gateway, or WAF to reject non-standard HTTP header block terminators before forwarding to light-4j. This matches Red Hat’s stated mitigation for this CVE.

For light-4j configuration, keep the default production posture:

  • enableHttps: true
  • enableHttp: false
  • enableHttp2: true
  • allowUnescapedCharactersInUrl: false

If a customer must run light-4j behind an HTTP/1.1 proxy, validate the exact proxy product and mode. The proxy must reject malformed request framing, not normalize and forward it.

Customer Response

This CVE is a deployment-dependent Undertow request smuggling issue. NetworkNT has confirmed that light-4j embeds Undertow, but exploitability requires a vulnerable upstream HTTP/1.1 proxy path that forwards malformed header termination to Undertow. In recommended light-4j deployments, HTTPS/HTTP2 is enabled, clear HTTP is disabled, and edge proxies must enforce strict HTTP request validation. When those controls are in place, the issue is not exploitable in the light-4j service.

References