Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

CVE-2026-28369

Summary

CVE-2026-28369 is an Undertow request smuggling vulnerability involving malformed HTTP request headers. Red Hat describes the condition as an HTTP request where the first header line starts with one or more spaces. Undertow strips the leading spaces, which can cause it to interpret the request differently from an upstream proxy.

Red Hat rates the issue as Important with CVSS 3.1 score 8.7, using high attack complexity because exploitation depends on an upstream proxy/backend parser mismatch. NVD also lists a 9.1 Critical score, but the Red Hat CNA score better reflects the deployment prerequisite.

light-4j Applicability

light-4j uses Undertow through io.undertow:undertow-core, so dependency scanners can report this CVE for light-4j applications.

The issue is conditionally applicable only when a malformed HTTP/1.1 request is accepted by an upstream proxy and forwarded to Undertow in a way that causes the proxy and Undertow to disagree about request boundaries or headers. If the upstream component rejects the malformed header line, the request does not reach Undertow and the smuggling condition is removed.

The finding is not applicable, or is not exploitable, when:

  • The light-4j service is not behind an upstream HTTP/1.1 proxy that forwards malformed first-header-line syntax.
  • The edge proxy, load balancer, gateway, or WAF rejects header lines with leading whitespace.
  • HTTPS and HTTP/2 are used end to end, without translating malformed HTTP/1.1 traffic into the Undertow origin hop.
  • The light-4j listener is protected by network controls and only accepts traffic from trusted components that enforce strict HTTP syntax.

Mitigation

For light-4j deployments, mitigation should focus on strict request validation at the edge and conservative server configuration:

  • Configure upstream proxies, load balancers, gateways, and WAFs to reject header lines that begin with whitespace.
  • Do not allow a permissive edge component to normalize and forward malformed HTTP/1.1 requests to Undertow.
  • Prefer the default light-4j production posture: HTTPS enabled, clear HTTP disabled, HTTP/2 enabled, and unescaped URL characters disabled.
  • If a customer uses a legacy HTTP/1.1 proxy in front of light-4j, verify that it rejects malformed header syntax before forwarding.

Customer Response

This CVE is a conditional Undertow request smuggling issue. light-4j may be flagged because it embeds Undertow, but the issue requires a vulnerable upstream HTTP/1.1 proxy path that forwards malformed header-line syntax to Undertow. With strict edge validation, HTTPS/HTTP2-oriented deployment, and clear HTTP disabled for untrusted access, the issue is not exploitable in light-4j.

References