High severity7.4NVD Advisory· Published Apr 8, 2026· Updated Apr 23, 2026
CVE-2026-5795
CVE-2026-5795
Description
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.
Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.
A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty.ee11:jetty-ee11-jaspiMaven | >= 12.1.0, < 12.1.8 | 12.1.8 |
org.eclipse.jetty.ee10:jetty-ee10-jaspiMaven | >= 12.1.0, < 12.1.8 | 12.1.8 |
org.eclipse.jetty.ee9:jetty-ee9-jaspiMaven | >= 12.1.0, < 12.1.8 | 12.1.8 |
org.eclipse.jetty.ee8:jetty-ee8-jaspiMaven | >= 12.1.0, < 12.1.8 | 12.1.8 |
org.eclipse.jetty.ee11:jetty-ee11-jaspiMaven | >= 12.0.0, < 12.0.34 | 12.0.34 |
org.eclipse.jetty.ee10:jetty-ee10-jaspiMaven | >= 12.0.0, < 12.0.34 | 12.0.34 |
org.eclipse.jetty.ee9:jetty-ee9-jaspiMaven | >= 12.0.0, < 12.0.34 | 12.0.34 |
org.eclipse.jetty.ee8:jetty-ee8-jaspiMaven | >= 12.0.0, < 12.0.34 | 12.0.34 |
org.eclipse.jetty:jetty-jaspiMaven | >= 11.0.0, < 11.0.29 | 11.0.29 |
org.eclipse.jetty:jetty-jaspiMaven | >= 10.0.0, < 10.0.29 | 10.0.29 |
org.eclipse.jetty:jetty-jaspiMaven | >= 9.4.0, < 9.4.61 | 9.4.61 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-r7p8-xq5m-436cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-5795ghsaADVISORY
- github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436cghsaWEB
- github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436chttps://nvdBroken Link
- gitlab.eclipse.org/security/cve-assignment/-/issues/92nvdBroken LinkWEB
News mentions
0No linked articles in our index yet.