CVE-2026-5795
Received
Received - Intake
ThreadLocal Mismanagement in Eclipse Jetty Causes Privilege Escalation
Publication date: 2026-04-08
Last updated on: 2026-04-23
Assigner: Eclipse Foundation
Description
Description
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.
Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.
A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eclipse | jetty | From 10.0.0 (inc) to 10.0.26 (inc) |
| eclipse | jetty | From 11.0.0 (inc) to 11.0.26 (inc) |
| eclipse | jetty | From 9.4.0 (inc) to 9.4.58 (inc) |
| eclipse | jetty | From 12.0.0 (inc) to 12.0.34 (exc) |
| eclipse | jetty | From 12.1.0 (inc) to 12.1.8 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-226 | The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. |
