CVE-2026-5795_CVE-2026-5795

7.4 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.

Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.

A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

Basic Information

ID CVE-2026-5795

Source eclipse

Published Apr 8, 2026 at 13:32

Modified Apr 9, 2026 at 03:56

Affected Product

Vendor Eclipse Foundation

Product Eclipse Jetty

Version 12.1.0

Affected Versions Eclipse Foundation Eclipse Jetty 12.1.0
Eclipse Foundation Eclipse Jetty 12.0.0
Eclipse Foundation Eclipse Jetty 11.0.0
Eclipse Foundation Eclipse Jetty 10.0.0
Eclipse Foundation Eclipse Jetty 9.4.0

CWE Classification

CWE-226 CWE-287

References

{
    "lastseen": "",
    "description": "In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.\n\n\nUpon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.\n\n\nA subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.",
    "published": "2026-04-08T13:32:28.935Z",
    "modified": "2026-04-09T03:56:11.784Z",
    "type": "cve",
    "title": "CVE-2026-5795",
    "source": "eclipse",
    "references": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436chttps://\nhttps://gitlab.eclipse.org/security/cve-assignment/-/issues/92",
    "id": "CVE-2026-5795",
    "bulletinFamily": "",
    "cwe": [
        "CWE-226",
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "Eclipse Foundation Eclipse Jetty 12.1.0\nEclipse Foundation Eclipse Jetty 12.0.0\nEclipse Foundation Eclipse Jetty 11.0.0\nEclipse Foundation Eclipse Jetty 10.0.0\nEclipse Foundation Eclipse Jetty 9.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.4,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Eclipse Jetty",
    "version": "12.1.0",
    "vendor": "Eclipse Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}