CVE-2026-5795
Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables
7.4
HIGH
CVSS 3.1
EPSS 0.03%
Description
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
How to fix CVE-2026-5795
To remediate CVE-2026-5795, upgrade the affected package to a fixed version below.
- —no fix listed
- —no fix listed
- —upgrade to 12.1.7 or later
- —upgrade to 12.1.8 or later
- —upgrade to 12.1.8 or later
- —upgrade to 12.1.8 or later
- —upgrade to 12.1.8 or later
- —upgrade to 11.0.29 or later
Is CVE-2026-5795 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (8)
- from 0
- from 0
- >= 12.1.0, < 12.1.7
- >= 12.1.0, < 12.1.8
- >= 12.1.0, < 12.1.8
- >= 12.1.0, < 12.1.8
- >= 12.1.0, < 12.1.8
- >= 11.0.0, < 11.0.29
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |