Request Smuggling Vulnerability in Eclipse Jetty HTTP/1.1 Parser
CVE-2026-2332

7.4HIGH

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Jetty
Vendor: CVE Published:; 14 April 2026

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2026-2332?

Eclipse Jetty's HTTP/1.1 parser is susceptible to a request smuggling attack when chunk extensions are utilized. The vulnerability arises due to improper termination of chunk extension parsing within quoted strings, leading to potential injection of smuggled requests. This flaw allows attackers to exploit the parsing mechanism, effectively bypassing security measures, which can pose significant risks to server integrity and data security. Active exploitation scenarios may include injecting unauthorized requests to sensitive endpoints, potentially allowing for further attacks or data exfiltration.

Affected Version(s)

Eclipse Jetty 12.1.0 <= 12.1.6

Eclipse Jetty 12.0.0 <= 12.0.32

Eclipse Jetty 11.0.0 <= 11.0.27

References

https://github.com/jetty/jetty.project/security/advisorie...

third-party-advisory

https://gitlab.eclipse.org/security/cve-assignment/-/issu...

issue-tracking

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Feb 11, 2026

Credit

https://github.com/xclow3n

CVE-2026-2332 Data

JSON