CVE-2026-5795

NameCVE-2026-5795
DescriptionIn Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1133373, 1133374

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jetty12 (PTS)trixie (security), trixie12.0.17-3.1~deb13u1vulnerable
forky, sid12.0.33-1vulnerable
jetty9 (PTS)bullseye9.4.50-4+deb11u2vulnerable
bullseye (security)9.4.57-0+deb11u3vulnerable
bookworm, bookworm (security)9.4.57-1.1~deb12u1vulnerable
trixie (security), trixie9.4.57-1.1~deb13u1vulnerable
forky, sid9.4.58-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jetty12source(unstable)(unfixed)1133373
jetty9source(unstable)(unfixed)1133374

Notes

https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436c
Search for package or bug name: Reporting problems