High severity7.4NVD Advisory· Published Apr 14, 2026· Updated May 1, 2026
CVE-2026-2332
CVE-2026-2332
Description
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html
- https://w4ke.info/2025/10/29/funky-chunks-2.html
Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.
POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked
1;ext="val X 0
GET /smuggled HTTP/1.1 ...
Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-httpMaven | >= 12.1.0, < 12.1.7 | 12.1.7 |
org.eclipse.jetty:jetty-httpMaven | >= 12.0.0, < 12.0.33 | 12.0.33 |
org.eclipse.jetty:jetty-httpMaven | >= 11.0.0, < 11.0.28 | 11.0.28 |
org.eclipse.jetty:jetty-httpMaven | >= 10.0.0, < 10.0.28 | 10.0.28 |
org.eclipse.jetty:jetty-httpMaven | >= 9.4.0, < 9.4.60 | 9.4.60 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwfnvdExploitVendor AdvisoryMitigationWEB
- github.com/advisories/GHSA-355h-qmc2-wpwfghsaADVISORY
- gitlab.eclipse.org/security/cve-assignment/-/issues/89nvdIssue TrackingVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-2332ghsaADVISORY
- w4ke.info/2025/06/18/funky-chunks.htmlghsaWEB
News mentions
0No linked articles in our index yet.