CVE-2026-5795

CVSS v3.1

7.4

High

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Eclipse Jetty (affected versions not specified)

Description Eclipse Jetty's JASPIAuthenticator class sets two ThreadLocal variables during authentication checks. Under certain conditions, the code returns early without clearing these ThreadLocal variables. A subsequent request using the same thread inherits these values, resulting in broken access control and potential privilege escalation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

LPE

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-226

Related Identifiers

CVE-2026-5795

GHSA-GC59-R5JQ-98QW

GHSA-R7P8-XQ5M-436C

Affected Products

Eclipse Jetty

CVE-2026-5795

Weakness Enumeration

Related Identifiers

Affected Products

References · 11