High severity7.4NVD Advisory· Published Apr 8, 2026· Updated Apr 23, 2026
CVE-2026-5795
CVE-2026-5795
Description
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.
Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.
A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty.ee11:jetty-ee11-jaspiMaven | >= 12.1.0, < 12.1.8 | 12.1.8 |
org.eclipse.jetty.ee10:jetty-ee10-jaspiMaven | >= 12.1.0, < 12.1.8 | 12.1.8 |
org.eclipse.jetty.ee9:jetty-ee9-jaspiMaven | >= 12.1.0, < 12.1.8 | 12.1.8 |
org.eclipse.jetty.ee8:jetty-ee8-jaspiMaven | >= 12.1.0, < 12.1.8 | 12.1.8 |
org.eclipse.jetty.ee11:jetty-ee11-jaspiMaven | >= 12.0.0, < 12.0.34 | 12.0.34 |
org.eclipse.jetty.ee10:jetty-ee10-jaspiMaven | >= 12.0.0, < 12.0.34 | 12.0.34 |
org.eclipse.jetty.ee9:jetty-ee9-jaspiMaven | >= 12.0.0, < 12.0.34 | 12.0.34 |
org.eclipse.jetty.ee8:jetty-ee8-jaspiMaven | >= 12.0.0, < 12.0.34 | 12.0.34 |
org.eclipse.jetty:jetty-jaspiMaven | >= 11.0.0, < 11.0.29 | 11.0.29 |
org.eclipse.jetty:jetty-jaspiMaven | >= 10.0.0, < 10.0.29 | 10.0.29 |
org.eclipse.jetty:jetty-jaspiMaven | >= 9.4.0, < 9.4.61 | 9.4.61 |
Affected products
7- ghsa-coords6 versionspkg:maven/org.eclipse.jetty.ee10/jetty-ee10-jaspipkg:maven/org.eclipse.jetty.ee11/jetty-ee11-jaspipkg:maven/org.eclipse.jetty.ee8/jetty-ee8-jaspipkg:maven/org.eclipse.jetty.ee9/jetty-ee9-jaspipkg:maven/org.eclipse.jetty/jetty-jaspipkg:rpm/opensuse/jetty-minimal&distro=openSUSE%20Tumbleweed
>= 12.1.0, < 12.1.8+ 5 more
- (no CPE)range: >= 12.1.0, < 12.1.8
- (no CPE)range: >= 12.1.0, < 12.1.8
- (no CPE)range: >= 12.1.0, < 12.1.8
- (no CPE)range: >= 12.1.0, < 12.1.8
- (no CPE)range: >= 11.0.0, < 11.0.29
- (no CPE)range: < 9.4.58-4.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-r7p8-xq5m-436cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-5795ghsaADVISORY
- github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436cghsaWEB
- github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436chttps://nvdBroken Link
- gitlab.eclipse.org/security/cve-assignment/-/issues/92nvdBroken LinkWEB
News mentions
0No linked articles in our index yet.