CVE-2026-5795

Summary

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.

Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.

A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

Affected Software

VendorProductVersion RangeStatus
Eclipse FoundationEclipse Jetty12.1.0 <= 12.1.7affected
Eclipse FoundationEclipse Jetty12.0.0 <= 12.0.33affected
Eclipse FoundationEclipse Jetty11.0.0 <= 11.0.28affected
Eclipse FoundationEclipse Jetty10.0.0 <= 10.0.28affected
Eclipse FoundationEclipse Jetty9.4.0 <= 9.4.60affected

Weaknesses

  • CWE-226: CWE-226 Sensitive information in resource not removed before reuse
  • CWE-287: CWE-287 Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

org.eclipse.jetty.ee10/jetty-ee10: early return from the JASPIAuthenticator class without clearing ThreadLocal variables

Additional References

References