PT-2026-31308 · Eclipse · Eclipse Jetty

Published

2026-04-08

Updated

2026-05-31

CVE-2026-5795

CVSS v3.1

7.4

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Eclipse Jetty (affected versions not specified)

Description Eclipse Jetty's JASPIAuthenticator class sets two ThreadLocal variables during authentication checks. Under certain conditions, the code returns early without clearing these ThreadLocal variables. A subsequent request using the same thread inherits these values, resulting in broken access control and potential privilege escalation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

LPE

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-226

Related Identifiers

CVE-2026-5795

GHSA-GC59-R5JQ-98QW

GHSA-R7P8-XQ5M-436C

OPENSUSE-SU-2026:10574-1

Affected Products

Eclipse Jetty

PT-2026-31308 · Eclipse · Eclipse Jetty

CVE-2026-5795

Weakness Enumeration

Related Identifiers

Affected Products

References · 20