Undertow's Hostile Hospitality: Bypassing Validation via Malformed Headers

Alon Barad

Software Engineer

Jan 12, 2026·6 min read·115 visits

PoC Available

Executive Summary (TL;DR)

Undertow failed to reject malformed `Host` headers (like `Host: evil.com `), violating RFC 7230. By sending headers that proxies might normalize but Undertow accepts as-is, attackers can poison web caches, hijack sessions, or trigger SSRF. Rated Critical (9.6), this affects JBoss EAP, WildFly, and Keycloak.

A critical input validation failure in the Undertow HTTP server core allows attackers to supply malformed Host headers (containing spaces, tabs, or illegal characters) without triggering a 400 Bad Request. This parsing leniency creates a dangerous desynchronization between front-end proxies and the back-end server, enabling cache poisoning, SSRF, and session hijacking.

Attack Flow Diagram

Official Patches

Red HatOfficial Red Hat Security Advisory and Patch Data

Technical Appendix

CVSS Score

9.6/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Probability

0.13%

Top 66% most exploited

Affected Systems

Red Hat JBoss Enterprise Application Platform (EAP) 7Red Hat JBoss Enterprise Application Platform (EAP) 8Red Hat Single Sign-On (Keycloak) 7WildFly (versions prior to fix)Red Hat Data Grid 8Red Hat Build of Apache Camel

Affected Versions Detail

Product	Affected Versions	Fixed Version
JBoss EAP Red Hat	< 8.1 (Jan 2026 Update)	8.1.0.GA-patch
Undertow Core JBoss.org	< 2.3.21.Final	2.3.21.Final

Attribute	Detail
CWE ID	CWE-20 (Improper Input Validation)
CVSS v3.1	9.6 (Critical)
Attack Vector	Network (Remote)
Impact	Cache Poisoning, SSRF, Session Hijacking
EPSS Score	0.13%
Exploit Status	PoC Available / Weaponized Context