Authentication Flaw in Jetty by Eclipse Leads to Privilege Escalation
CVE-2026-5795

7.4HIGH

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Jetty
Vendor: CVE Published:; 8 April 2026

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2026-5795?

Eclipse Jetty contains an authentication flaw in the JASPIAuthenticator class. The vulnerability arises when authentication checks are performed using ThreadLocal variables that are not properly cleared upon completion of the initial checks. This oversight allows subsequent requests made on the same thread to inherit the existing ThreadLocal values, potentially leading to unauthorized access and privilege escalation within the application.

Affected Version(s)

Eclipse Jetty 12.1.0 <= 12.1.7

Eclipse Jetty 12.0.0 <= 12.0.33

Eclipse Jetty 11.0.0 <= 11.0.28

References

https://github.com/jetty/jetty.project/security/advisorie...

https://gitlab.eclipse.org/security/cve-assignment/-/issu...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

https://github.com/HRsGIT

CVE-2026-5795 Data

JSON