VDB

CVE-2026-5795

CVE-2026-5795 PUBLISHED CVSS 7.400000095367432 HIGH

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

EPSS 0.03% · 9.5th percentile

Risk Scores

CVSS v3.1
7.400000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.03%
9.5th percentile

Affected Products

VendorProductVersions
Eclipse FoundationEclipse Jetty11.0.0, 10.0.0, 9.4.0

Timeline

  • Apr 8, 2026 CVE Published
  • Apr 8, 2026 PoC Published
  • Apr 8, 2026 Security Advisory
  • Apr 9, 2026 EPSS Score
  • Apr 14, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›