CVE-2026-5795
7.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.
Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.
A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Eclipse Foundation | Eclipse Jetty | 12.1.0 <= 12.1.7 | affected |
| Eclipse Foundation | Eclipse Jetty | 12.0.0 <= 12.0.33 | affected |
| Eclipse Foundation | Eclipse Jetty | 11.0.0 <= 11.0.28 | affected |
| Eclipse Foundation | Eclipse Jetty | 10.0.0 <= 10.0.28 | affected |
| Eclipse Foundation | Eclipse Jetty | 9.4.0 <= 9.4.60 | affected |
Weaknesses
- CWE-226: CWE-226 Sensitive information in resource not removed before reuse
- CWE-287: CWE-287 Improper Authentication
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
org.eclipse.jetty.ee10/jetty-ee10: early return from the JASPIAuthenticator class without clearing ThreadLocal variables
Additional References
- https://access.redhat.com/security/cve/CVE-2026-5795
- https://bugzilla.redhat.com/show_bug.cgi?id=2456519
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5795.json
- https://access.redhat.com/errata/RHSA-2026:25089
- https://access.redhat.com/errata/RHSA-2026:28573
- https://access.redhat.com/errata/RHSA-2026:17668
References
- https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436chttps://
- https://gitlab.eclipse.org/security/cve-assignment/-/issues/92
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.