JustAppSec
HIGH SeverityCVSS 3.17.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE-2026-5795

Last updated Apr 08, 2026 · Published Apr 08, 2026

← Back to list

Description

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

Affected products

1 listed
  • Eclipse Foundation:Eclipse Jetty

Mappings

CWE

CWE-226; CWE-287

CAPEC

None listed.

CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms

Need help?Get in touch.