JBoss Enterprise Application Platform (EAP) 8.1 vulnerabilities

Updated -

This articles lists all security vulnerabilities or CVEs fixed in released updates for JBoss Enterprise Application Platform (EAP) 8.1.

JBoss Enterprise Application Platform 8.1 Update 6.1

(full notes)

ID Component Impact Summary
CVE-2026-28369 Server Important undertow-core: Undertow: Request Smuggling via Malformed HTTP Request Headers [eap-8.1.z]
CVE-2026-1605 Server Important jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests [eap-8.1.z]
CVE-2026-28367 Server Important undertow-core: Undertow: Request smuggling via \r\r\r as a header block terminator [eap-8.1.z]
CVE-2026-28368 Server Important undertow-core: Undertow: Request smuggling via inconsistent header parsing [eap-8.1.z]

JBoss Enterprise Application Platform 8.1 Update 6

(full notes)

ID Component Impact Summary
CVE-2025-23368 Security Important wildfly-elytron-integration: Wildfly Elytron Brute Force Attack via CLI
CVE-2026-27446 Server Important artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication
CVE-2026-27830 Server Important c3p0/c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects
CVE-2026-26996 Server Moderate io.hawt-project: minimatch: Denial of Service via specially crafted glob patterns
CVE-2026-5598 Server Important bcprov-jdk12: private key leakage via non-constant time comparisons
CVE-2026-27727 Server Important mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects
CVE-2026-27904 Server Moderate io.hawt-project: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
CVE-2026-33870 Server Important netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values
CVE-2025-14813 Server Important bcprov-ext-jdk15on: GOSTCTR implementation unable to process more than 255 blocks correctly
CVE-2026-33871 Server Important netty-codec-http-4.1.100.Final.jar: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood
CVE-2026-0636 Server Important bcprov-ext-jdk15on: LDAP injection vulnerability in LDAPStoreHelper.java
CVE-2026-5588 Server Important bcpkix-fips: PKIX draft CompositeVerifier accepts empty signature sequence as valid
CVE-2026-3505 Server Important bcpg-fips: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion
CVE-2025-67030 Server Important plexus-utils: Plexus-utils: Directory Traversal in extractFile method

JBoss Enterprise Application Platform 8.1 Update 5

(full notes)
No CVE fixes

JBoss Enterprise Application Platform 8.1 Update 4.1

(full notes)
No CVE fixes

JBoss Enterprise Application Platform 8.1 Update 4

(full notes)
No CVE fixes

JBoss Enterprise Application Platform 8.1 Update 3

(full notes)

ID Component Impact Summary
CVE-2024-3884 Undertow Moderate undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
CVE-2025-9784 Undertow Important undertow-core: Undertow MadeYouReset HTTP/2 DDoS Vulnerability
CVE-2025-12543 Undertow Important undertow-core: Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF

JBoss Enterprise Application Platform 8.1 Update 2

(full notes)

ID Component Impact Summary
CVE-2025-4949 Server Moderate org.eclipse.jgit: XXE vulnerability in Eclipse JGit

JBoss Enterprise Application Platform 8.1 Update 1

(full notes)
No CVE fixes

JBoss Enterprise Application Platform 8.1 Update 0.1

(full notes)

ID Component Impact Summary
CVE-2025-55163 Server Important netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability
CVE-2025-58056 Server Moderate netty-codec-http2: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions
CVE-2025-48913 Server Important cxf: CXF JMS Code Execution Vulnerability [eap-8.0.z]

Additional fixes from preceding EAP 8.0 updates

JBoss Enterprise Application Platform 8.0 Update 08

(full notes)

ID Component Impact Summary
CVE-2025-2251 EJB Major wildfly-ejb3: Improper Deserialization in JBoss Marshalling Allows Remote Code Execution [details]
CVE-2025-23184 Server Major org.apache.cxf/cxf-core: Apache CXF: Denial of Service vulnerability with temporary files
CVE-2025-27611 Server Major org.jboss.hal-hal-parent: base-x homograph attack allows Unicode lookalike characters to bypass validation.
CVE-2025-48734 Server Major commons-beanutils-commons-beanutils: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
CVE-2025-2901 Server Major org.jboss.hal-hal-parent: Stored Cross-Site Scripting (XSS) in JBoss EAP Management Console

JBoss Enterprise Application Platform 8.0 Update 07

(full notes)

ID Component Impact Summary
CVE-2024-12369 Security Moderate org.wildfly/wildfly-elytron-oidc-client-subsystem: OIDC Authorization Code Injection
CVE-2025-23367 Management Moderate org.wildfly.core/wildfly-server: Wildfly improper RBAC permission

JBoss Enterprise Application Platform 8.0 Update 06.1

(full notes)

ID Component Impact Summary
CVE-2024-8447 Server Moderate org.jboss.narayana-narayana-all: deadlock via multiple join requests sent to LRA Coordinator
CVE-2024-47535 Server Moderate io.netty/netty: Denial of Service attack on windows app using Netty
CVE-2025-24970 Server Important io.netty/netty-handler: SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
CVE-2025-25193 Server Moderate netty-common: Denial of Service attack on windows app using Netty

JBoss Enterprise Application Platform 8.0 Update 06

(full notes)

ID Component Impact Summary
CVE-2024-10234 Web Console Moderate org.wildfly.core/wildfly-core-management-subsystem: Wildfly vulnerable to Cross-Site Scripting (XSS)

JBoss Enterprise Application Platform 8.0 Update 05.1

(full notes)

ID Component Impact Summary
CVE-2024-51127 Web Services Major org.hornetq/hornetq-core-client: From CVEorg collector

JBoss Enterprise Application Platform 8.0 Update 05

(full notes)

ID Component Impact Summary
CVE-2024-8447 Server Major org.jboss.narayana-narayana-all: deadlock via multiple join requests sent to LRA Coordinator [eap-8.0.z]
CVE-2024-4109 Undertow Moderate undertow information leakage via HTTP/2 request header reuse

JBoss Enterprise Application Platform 8.0 Update 04.1

(full notes)

ID Component Impact Summary
CVE-2024-8883 Server Minor org.keycloak/keycloak-services: Vulnerable Redirect URI Validation Results in Open Redirec [eap-8.0.z]

JBoss Enterprise Application Platform 8.0 Update 04

(full notes)

ID Component Impact Summary
CVE-2024-4029 Management Low wildfly-domain-http: wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS)
CVE-2023-52428 Security Important com.nimbusds/nimbus-jose-jwt: large JWE p2c header value causes Denial of Service
CVE-2024-8698 Security Important org.keycloak/keycloak-saml-core-public: Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
CVE-2022-34169 Server Important xalan: OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)
CVE-2024-41172 Web Services Moderate org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients

JBoss Enterprise Application Platform 8.0 Update 03.1

(full notes)

ID Component Impact Summary
CVE-2024-7885 Undertow Important undertow: Improper State Management in Proxy Protocol parsing causes information leakage
CVE-2024-21634 Clustering Important software.amazon.ion/ion-java: ion-java: Ion Java StackOverflow vulnerability

JBoss Enterprise Application Platform 8.0 Update 03

(full notes)

ID Component Impact Summary
CVE-2024-30172 Moderate org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class
CVE-2024-30171 Security Moderate org.bouncycastle-bcprov-jdk18on: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)
CVE-2024-29857 Server Moderate org.bouncycastle:bcprov-jdk18on: org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service
CVE-2024-28752 Web Services Important cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding
CVE-2024-29025 JMS Moderate netty-codec-http: Allocation of Resources Without Limits or Throttling

JBoss Enterprise Application Platform 8.0 Update 02.1

(full notes)

ID Component Impact Summary
CVE-2023-51775 Security Moderate jose4j: denial of service via specially crafted JWE
CVE-2024-5971 Server Important undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket
CVE-2024-3653 Undertow Low undertow: LearningPushHandler can lead to remote memory DoS attacks
CVE-2024-27316 Undertow Moderate HTTP-2: httpd: CONTINUATION frames DoS

JBoss Enterprise Application Platform 8.0 Update 02

(full notes)

ID Component Impact Summary
CVE-2024-1233 Security Moderate eap: JBoss EAP: wildfly-elytron has a SSRF security issue
CVE-2024-1102 Server Moderate jberet-core: jberet: jberet-core logging database credentials
CVE-2023-4503 Server Moderate eap-galleon: custom provisioning creates unsecured http-invoker
CVE-2023-6236 Security Moderate eap: JBoss EAP: OIDC app attempting to access the second tenant, the user should be prompted to log

JBoss Enterprise Application Platform 8.0 Update 01.1

(full notes)

ID Component Impact Summary
CVE-2023-4639 Server Moderate undertow: Cookie Smuggling/Spoofing
CVE-2024-6162 Undertow Moderate undertow: url-encoded request path information can be broken on ajp-listener
CVE-2023-1973 Undertow Important undertow: unrestricted request storage leads to memory exhaustion

JBoss Enterprise Application Platform 8.0 Update 01

(full notes)

ID Component Impact Summary
CVE-2023-4759 Management Moderate jgit: arbitrary file overwrite
CVE-2023-48795 Server Moderate apache-sshd: ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
CVE-2023-35887 Server Low sshd-common: apache-mina-sshd: information exposure in SFTP server implementations

Comments