CVE-2026-5795 PUBLISHED

Assigner: eclipse
Reserved: 08.04.2026 Published: 08.04.2026 Updated: 08.04.2026

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.

Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.

A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 7.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Eclipse Foundation
Product	Eclipse Jetty
Versions	Default: unaffected affected from 12.1.0 to 12.1.7 (incl.) affected from 12.0.0 to 12.0.33 (incl.) affected from 11.0.0 to 11.0.28 (incl.) affected from 10.0.0 to 10.0.28 (incl.) affected from 9.4.0 to 9.4.60 (incl.)

CVE-2026-5795 PUBLISHED

Metrics

Product Status

Credits

References

Problem Types