CVE-2026-5795
ThreadLocal Mismanagement in Eclipse Jetty Causes Privilege Escalation
Publication date: 2026-04-08
Last updated on: 2026-04-23
Assigner: Eclipse Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eclipse | jetty | From 10.0.0 (inc) to 10.0.26 (inc) |
| eclipse | jetty | From 11.0.0 (inc) to 11.0.26 (inc) |
| eclipse | jetty | From 9.4.0 (inc) to 9.4.58 (inc) |
| eclipse | jetty | From 12.0.0 (inc) to 12.0.34 (exc) |
| eclipse | jetty | From 12.1.0 (inc) to 12.1.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-226 | The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Eclipse Jetty's JASPIAuthenticator class, which manages authentication checks by setting two ThreadLocal variables.
Due to certain conditions, the code may return early from the authentication process without clearing these ThreadLocal variables.
As a result, a subsequent request processed by the same thread inherits these leftover ThreadLocal values, causing broken access control and enabling privilege escalation.
How can this vulnerability impact me? :
This vulnerability can lead to broken access control, where unauthorized users may gain elevated privileges.
Specifically, because ThreadLocal variables are not cleared properly, a request may inherit authentication information from a previous request on the same thread, potentially allowing privilege escalation.