CVE-2026-8384 PUBLISHED

Assigner: eclipse
Reserved: 12.05.2026 Published: 14.07.2026 Updated: 14.07.2026

In Eclipse Jetty, an HTTP URI of this form:

/public;/../admin/secret.txt

results in an unresolved path of:

/public/../admin/secret.txt

instead of the expected:

/admin/secret.txt

Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).

However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 5.3

Product Status

Vendor Eclipse Foundation
Product Eclipse Jetty
Versions Default: unaffected
  • affected from 12.0.0 to 12.0.34 (incl.)
  • affected from 12.1.0 to 12.1.8 (incl.)

Credits

  • https://github.com/jweny finder
  • https://github.com/lworld0x00 finder

References

Problem Types

  • CWE-647 CWE