HTTP Header Mismatch Vulnerability in Eclipse Jetty
CVE-2026-6790
What is CVE-2026-6790?
In Eclipse Jetty, there is a significant vulnerability involving a lack of strict validation for the request authority, specifically where the host and port in the request do not align with the Host header. While earlier HTTP RFCs (such as RFC 2616) allowed for some flexibility in this regard, the latest revisions (RFC 9110 and 9112) emphasize that these values must match. As a result of this oversight, various issues may arise, including improper URI constructions that can lead to misleading redirects, complications with virtual host selection, challenges in reverse proxy configurations, and confusing log entries. Such discrepancies can compromise the integrity of web applications relying on Jetty, necessitating a robust implementation of host and authority checks.
Affected Version(s)
Eclipse Jetty 9.4.0 <= 9.4.60
Eclipse Jetty 10.0.0 <= 10.0.28
Eclipse Jetty 11.0.0 <= 11.0.28
