CVE-2026-5795

HIGH

Eclipse Foundation Eclipse Jetty < 12.1.7 - Privilege Escalation

Title source: rule

Description

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

References (2)

https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436chttps://

https://gitlab.eclipse.org/security/cve-assignment/-/issues/92

Scores

CVSS v3 7.4

EPSS 0.0002

EPSS Percentile 5.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-226 CWE-287

Status published

Products (12)

eclipse/jetty 9.4.0 - 9.4.58

Eclipse Foundation/Eclipse Jetty 10.0.0 - 10.0.28

Eclipse Foundation/Eclipse Jetty 11.0.0 - 11.0.28

Eclipse Foundation/Eclipse Jetty 12.0.0 - 12.0.33

Eclipse Foundation/Eclipse Jetty 12.1.0 - 12.1.7

Eclipse Foundation/Eclipse Jetty 9.4.0 - 9.4.60

org.eclipse.jetty/jetty-jaspi 11.0.0 - 11.0.29Maven

org.eclipse.jetty.ee10/jetty-ee10 12.1.0 - 12.1.7Maven

org.eclipse.jetty.ee10/jetty-ee10-jaspi 12.1.0 - 12.1.8Maven

org.eclipse.jetty.ee11/jetty-ee11-jaspi 12.1.0 - 12.1.8Maven

... and 2 more

Published Apr 08, 2026

Tracked Since Apr 08, 2026