CVE-2026-5795

HIGH7.4

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable

Published Apr 8, 2026

Modified 1 weeks ago

Details

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.

Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.

A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

References

WEB

https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436chttps://

WEB

https://gitlab.eclipse.org/security/cve-assignment/-/issues/92

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-5795

CVSS Analysis

CVSS v3.1

7.4

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

NoneA:N

7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Weakness Type (CWE)

Authentication

CWE-287

Improper Authentication

Other

CWE-226

Ecosystems

Timeline

PublishedApr 8, 2026

ModifiedApr 9, 2026

CVE-2026-5795 | Mondoo Vulnerability Intelligence