CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0CVE-2026-28369 – Undertow: undertow: request smuggling via malformed http request headers
https://notcve.org/view.php?id=CVE-2026-28369
27 Mar 2026 — A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure. • https://access.redhat.com/security/cve/CVE-2026-28369 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0CVE-2026-28368 – Undertow: undertow: request smuggling via inconsistent header parsing
https://notcve.org/view.php?id=CVE-2026-28368
27 Mar 2026 — A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources. • https://access.redhat.com/security/cve/CVE-2026-28368 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2026-3121 – Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission
https://notcve.org/view.php?id=CVE-2026-3121
26 Mar 2026 — A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level. Se encontró un fallo en Keycloak. • https://access.redhat.com/errata/RHSA-2026:6477 • CWE-266: Incorrect Privilege Assignment •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2026-3009 – Org.keycloak/keycloak-services: improper enforcement of disabled identity provider in identitybrokerservice (authentication bypass)
https://notcve.org/view.php?id=CVE-2026-3009
05 Mar 2026 — A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. Una falla de seguridad en el endpoint IdentityBrokerService.perfor... • https://access.redhat.com/errata/RHSA-2026:3947 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 1%CPEs: 10EXPL: 0CVE-2025-9784 – Undertow: undertow madeyoureset http/2 ddos vulnerability
https://notcve.org/view.php?id=CVE-2025-9784
02 Sep 2025 — A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS). Red Hat build of Apache Camel 4.14.2 for Spring Boot patch release and security u... • https://access.redhat.com/security/cve/CVE-2025-9784 • CWE-404: Improper Resource Shutdown or Release CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-4503 – Eap-galleon: custom provisioning creates unsecured http-invoker
https://notcve.org/view.php?id=CVE-2023-4503
06 Feb 2024 — An improper initialization vulnerability was found in Galleon. When using Galleon to provision custom EAP or EAP-XP servers, the servers are created unsecured. This issue could allow an attacker to access remote HTTP services available from the server. Se encontró una vulnerabilidad de inicialización incorrecta en Galleon. Cuando se utiliza Galleon para aprovisionar servidores EAP o EAP-XP personalizados, los servidores se crean sin seguridad. • https://access.redhat.com/errata/RHSA-2023:7637 • CWE-665: Improper Initialization •
CVSS: 7.8EPSS: 0%CPEs: 29EXPL: 0CVE-2023-1108 – Undertow: infinite loop in sslconduit during close
https://notcve.org/view.php?id=CVE-2023-1108
10 Mar 2023 — A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates. Se encontró una falla en undertow. Este problema hace posible lograr una denegación de servicio debido a un estado de protocolo de enlace inesperado actualizado en SslConduit, donde el bucle nunca termina Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized i... • https://access.redhat.com/errata/RHSA-2023:1184 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-1278 – WildFly: possible information disclosure
https://notcve.org/view.php?id=CVE-2022-1278
13 Sep 2022 — A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. Se ha encontrado un fallo en WildFly, en el que un atacante puede visualizar los nombres de los despliegues, los endpoints y cualquier otro dato que pueda contener la carga útil de rastreo A flaw was found in WildFly. This flaw allows an attacker to see deployment names, endpoints, and any other data the trace payload may contain. AMQ Broker is a high-performance messaging im... • https://bugzilla.redhat.com/show_bug.cgi?id=2073401 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 1CVE-2022-0853 – jboss-client: memory leakage in remote client transaction
https://notcve.org/view.php?id=CVE-2022-0853
11 Mar 2022 — A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability. Se ha encontrado un fallo en JBoss-client. La vulnerabilidad es producida debido a una pérdida de memoria en el lado del cliente de JBoss, cuando es usado UserTransaction repetidamente y conlleva a una vulnerabilidad de filtrado de información A flaw was found in the jboss-client. A memory leak on the JBoss client-side... • https://github.com/ByteHackr/CVE-2022-0853 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.3EPSS: 0%CPEs: 15EXPL: 0CVE-2021-3642 – wildfly-elytron: possible timing attack in ScramServer
https://notcve.org/view.php?id=CVE-2021-3642
05 Aug 2021 — A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. Se ha detectado un fallo en Wildfly Elytron en versiones anteriores a 1.10.14.Final, en versiones anteriores a la 1.15.5.Final y en versiones anteriores a la 1.16.1.Final donde ScramServer puede ser susceptible a Timing Attack si está habilitado. La mayor amenaza d... • https://bugzilla.redhat.com/show_bug.cgi?id=1981407 • CWE-203: Observable Discrepancy •