HTTP Header Mismatch Vulnerability in Eclipse Jetty
CVE-2026-6790

5.3MEDIUM

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-6790?

In Eclipse Jetty, there is a significant vulnerability involving a lack of strict validation for the request authority, specifically where the host and port in the request do not align with the Host header. While earlier HTTP RFCs (such as RFC 2616) allowed for some flexibility in this regard, the latest revisions (RFC 9110 and 9112) emphasize that these values must match. As a result of this oversight, various issues may arise, including improper URI constructions that can lead to misleading redirects, complications with virtual host selection, challenges in reverse proxy configurations, and confusing log entries. Such discrepancies can compromise the integrity of web applications relying on Jetty, necessitating a robust implementation of host and authority checks.

Affected Version(s)

Eclipse Jetty 9.4.0 <= 9.4.60

Eclipse Jetty 10.0.0 <= 10.0.28

Eclipse Jetty 11.0.0 <= 11.0.28

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.