CVE-2026-8384
Received
Received - Intake
Path Traversal in Eclipse Jetty
Vulnerability report for CVE-2026-8384, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-14
Last updated on: 2026-07-14
Assigner: Eclipse Foundation
Description
Description
In Eclipse Jetty, an HTTP URI of this form:
/public;/../admin/secret.txt
results in an unresolved path of:
/public/../admin/secret.txt
instead of the expected:
/admin/secret.txt
Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).
However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eclipse | jetty | From 12.0.0 (inc) to 12.0.34 (inc) |
| eclipse | jetty | From 12.1.0 (inc) to 12.1.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-647 | The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization. |