fix(deps): update dependency io.undertow:undertow-core to v2.4.0.final [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
io.undertow:undertow-core (source)	2.3.23.Final → 2.4.0.Final

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests

CVE-2026-3260 / GHSA-3x3v-w654-m28m

More information

Details

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-3260
• https://access.redhat.com/security/cve/CVE-2026-3260
• https://bugzilla.redhat.com/show_bug.cgi?id=2443010
• https://github.com/undertow-io/undertow/releases/tag/2.4.0.Beta1
• https://github.com/advisories/GHSA-3x3v-w654-m28m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

undertow-io/undertow (io.undertow:undertow-core)

v2.4.0.Final

Compare Source

v2.3.24.Final

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.