CVE-2026-3260 PUBLISHED

Undertow: undertow: denial of service due to premature multipart/form-data parsing in get requests

Assigner: redhat
Reserved: 26.02.2026 Published: 24.03.2026 Updated: 24.03.2026

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat build of Apache Camel for Spring Boot 4
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat build of Apache Camel - HawtIO 4
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Data Grid 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Fuse 7
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat JBoss Enterprise Application Platform 7
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat JBoss Enterprise Application Platform 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat JBoss Enterprise Application Platform 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat JBoss Enterprise Application Platform 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat JBoss Enterprise Application Platform Expansion Pack
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat JBoss Enterprise Application Platform Expansion Pack
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat JBoss Enterprise Application Platform Expansion Pack
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Process Automation 7
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Single Sign-On 7
Versions	Default: affected

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

References

Problem Types

Allocation of Resources Without Limits or Throttling CWE