CVE-2026-5795

EPSS 0.03%
Veröffentlicht 08.04.2026 13:32:28
Zuletzt bearbeitet 23.04.2026 11:54:04
Quelle emo@eclipse.org
CVE-Watchlists
Login
Unerledigt
Login

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.


Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.


A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

NVD 5 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Eclipse ≫ Jetty Version >= 9.4.0 <= 9.4.58

Eclipse ≫ Jetty Version >= 10.0.0 <= 10.0.26

Eclipse ≫ Jetty Version >= 11.0.0 <= 11.0.26

Eclipse ≫ Jetty Version >= 12.0.0 < 12.0.34

Eclipse ≫ Jetty Version >= 12.1.0 < 12.1.8

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.091

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
emo@eclipse.org	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-226 Sensitive Information in Resource Not Removed Before Reuse

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436chttps://

Broken Link

https://gitlab.eclipse.org/security/cve-assignment/-/issues/92

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2026-5795

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-5795

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-5795

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-5795