Medium severity5.9NVD Advisory· Published Mar 24, 2026· Updated Apr 8, 2026
CVE-2026-3260
CVE-2026-3260
Description
A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | < 2.4.0.Beta1 | 2.4.0.Beta1 |
Affected products
13- cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- access.redhat.com/security/cve/CVE-2026-3260nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-3x3v-w654-m28mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3260ghsaADVISORY
- github.com/undertow-io/undertow/releases/tag/2.4.0.Beta1ghsaWEB
News mentions
0No linked articles in our index yet.