Medium severity5.9NVD Advisory· Published Mar 24, 2026· Updated Apr 8, 2026
CVE-2026-3260
CVE-2026-3260
Description
A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | < 2.4.0.Beta1 | 2.4.0.Beta1 |
Affected products
18- cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
- osv-coords5 versionspkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-21pkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-21pkg:maven/io.undertow/undertow-core
< 40.0.0-r0+ 4 more
- (no CPE)range: < 40.0.0-r0
- (no CPE)range: < 40.0.0-r0
- (no CPE)range: < 40.0.0-r0
- (no CPE)range: < 40.0.0-r0
- (no CPE)range: < 2.4.0.Beta1
Patches
Vulnerability mechanics
References
5- access.redhat.com/security/cve/CVE-2026-3260nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-3x3v-w654-m28mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3260ghsaADVISORY
- github.com/undertow-io/undertow/releases/tag/2.4.0.Beta1ghsaWEB
News mentions
0No linked articles in our index yet.