CVE-2026-6790 (GCVE-0-2026-6790)
Vulnerability from cvelistv5 – Published: 2026-07-14 08:51 – Updated: 2026-07-14 12:20
VLAI
EPSS
VEX
Summary
In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present).
This was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112).
This mismatch can cause a number of problems that may be classified as vulnerabilities such as:
*
URI constructions (for example, for redirects -- this is typical for login pages)
*
Virtual host selection
*
Reverse proxying
*
Misleading logs
*
Etc.
Given that the latest RFCs require that request authority and Host header must match, Jetty should enforce this invariant.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eclipse Foundation | Eclipse Jetty |
Affected:
9.4.0 , ≤ 9.4.60
(semver)
Affected: 10.0.0 , ≤ 10.0.28 (semver) Affected: 11.0.0 , ≤ 11.0.28 (semver) Affected: 12.0.0 , ≤ 12.0.34 (semver) Affected: 12.1.0 , ≤ 12.1.8 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6790",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T12:18:58.528202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T12:20:35.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eclipse Jetty",
"repo": "https://github.com/jetty/jetty.project",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "9.4.60",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.0.28",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.0.28",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.0.34",
"status": "affected",
"version": "12.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.1.8",
"status": "affected",
"version": "12.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the \u003ccode\u003eHost\u003c/code\u003e header (if present).\u003c/p\u003e\n\u003cp\u003eThis was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112).\u003c/p\u003e\n\u003cp\u003eThis mismatch can cause a number of problems that may be classified as vulnerabilities such as:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n \n URI constructions (for example, for redirects -- this is typical for login pages)\u003c/li\u003e\n\u003cli\u003e\n \n Virtual host selection\u003c/li\u003e\n\u003cli\u003e\n \n Reverse proxying\u003c/li\u003e\n\u003cli\u003e\n \n Misleading logs\u003c/li\u003e\n\u003cli\u003e\n \n Etc.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eGiven that the latest RFCs require that request authority and \u003ccode\u003eHost\u003c/code\u003e header must match, Jetty should enforce this invariant.\u003c/p\u003e"
}
],
"value": "In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present).\n\n\n\n\nThis was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112).\n\n\n\n\nThis mismatch can cause a number of problems that may be classified as vulnerabilities such as:\n\n\n\n * \n \n URI constructions (for example, for redirects -- this is typical for login pages)\n\n * \n \n Virtual host selection\n\n * \n \n Reverse proxying\n\n * \n \n Misleading logs\n\n * \n \n Etc.\n\n\n\n\n\n\nGiven that the latest RFCs require that request authority and Host header must match, Jetty should enforce this invariant."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T08:51:30.527Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://gitlab.eclipse.org/security/cve-assignment/-/work_items/99"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2026-6790",
"datePublished": "2026-07-14T08:51:30.527Z",
"dateReserved": "2026-04-21T13:47:52.520Z",
"dateUpdated": "2026-07-14T12:20:35.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-6790",
"date": "2026-07-14",
"epss": "0.00196",
"percentile": "0.09519"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-6790\",\"sourceIdentifier\":\"emo@eclipse.org\",\"published\":\"2026-07-14T09:16:41.930\",\"lastModified\":\"2026-07-14T18:35:54.793\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present).\\n\\n\\n\\n\\nThis was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112).\\n\\n\\n\\n\\nThis mismatch can cause a number of problems that may be classified as vulnerabilities such as:\\n\\n\\n\\n * \\n \\n URI constructions (for example, for redirects -- this is typical for login pages)\\n\\n * \\n \\n Virtual host selection\\n\\n * \\n \\n Reverse proxying\\n\\n * \\n \\n Misleading logs\\n\\n * \\n \\n Etc.\\n\\n\\n\\n\\n\\n\\nGiven that the latest RFCs require that request authority and Host header must match, Jetty should enforce this invariant.\"}],\"affected\":[{\"source\":\"emo@eclipse.org\",\"affectedData\":[{\"vendor\":\"Eclipse Foundation\",\"product\":\"Eclipse Jetty\",\"defaultStatus\":\"unaffected\",\"repo\":\"https://github.com/jetty/jetty.project\",\"versions\":[{\"version\":\"9.4.0\",\"lessThanOrEqual\":\"9.4.60\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"10.0.0\",\"lessThanOrEqual\":\"10.0.28\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"11.0.0\",\"lessThanOrEqual\":\"11.0.28\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"12.0.0\",\"lessThanOrEqual\":\"12.0.34\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"12.1.0\",\"lessThanOrEqual\":\"12.1.8\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-14T12:18:58.528202Z\",\"id\":\"CVE-2026-6790\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.4.0\",\"versionEndExcluding\":\"9.4.61\",\"matchCriteriaId\":\"EE3C7B48-2010-4031-8B0A-6895F39250E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"10.0.29\",\"matchCriteriaId\":\"429939D6-D788-4755-B4DF-DEAEDC8973F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndExcluding\":\"11.0.29\",\"matchCriteriaId\":\"474C24C9-B404-4D57-A69D-6F76009C5772\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.0.35\",\"matchCriteriaId\":\"655AA819-8D55-40C7-BCF3-F7D2AC085C41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.1.0\",\"versionEndExcluding\":\"12.1.9\",\"matchCriteriaId\":\"FF2AE57E-99D5-4181-A5B6-77A5FFBEB3F1\"}]}]}],\"references\":[{\"url\":\"https://gitlab.eclipse.org/security/cve-assignment/-/work_items/99\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-6790\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-14T12:18:58.528202Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-14T12:20:30.586Z\"}}], \"cna\": {\"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/jetty/jetty.project\", \"vendor\": \"Eclipse Foundation\", \"product\": \"Eclipse Jetty\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.4.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.4.60\"}, {\"status\": \"affected\", \"version\": \"10.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.0.28\"}, {\"status\": \"affected\", \"version\": \"11.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"11.0.28\"}, {\"status\": \"affected\", \"version\": \"12.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"12.0.34\"}, {\"status\": \"affected\", \"version\": \"12.1.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"12.1.8\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://gitlab.eclipse.org/security/cve-assignment/-/work_items/99\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present).\\n\\n\\n\\n\\nThis was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112).\\n\\n\\n\\n\\nThis mismatch can cause a number of problems that may be classified as vulnerabilities such as:\\n\\n\\n\\n * \\n \\n URI constructions (for example, for redirects -- this is typical for login pages)\\n\\n * \\n \\n Virtual host selection\\n\\n * \\n \\n Reverse proxying\\n\\n * \\n \\n Misleading logs\\n\\n * \\n \\n Etc.\\n\\n\\n\\n\\n\\n\\nGiven that the latest RFCs require that request authority and Host header must match, Jetty should enforce this invariant.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIn Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the \u003ccode\u003eHost\u003c/code\u003e header (if present).\u003c/p\u003e\\n\u003cp\u003eThis was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112).\u003c/p\u003e\\n\u003cp\u003eThis mismatch can cause a number of problems that may be classified as vulnerabilities such as:\u003c/p\u003e\\n\u003cul\u003e\\n\u003cli\u003e\\n \\n URI constructions (for example, for redirects -- this is typical for login pages)\u003c/li\u003e\\n\u003cli\u003e\\n \\n Virtual host selection\u003c/li\u003e\\n\u003cli\u003e\\n \\n Reverse proxying\u003c/li\u003e\\n\u003cli\u003e\\n \\n Misleading logs\u003c/li\u003e\\n\u003cli\u003e\\n \\n Etc.\u003c/li\u003e\\n\u003c/ul\u003e\\n\u003cp\u003eGiven that the latest RFCs require that request authority and \u003ccode\u003eHost\u003c/code\u003e header must match, Jetty should enforce this invariant.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20\"}]}], \"providerMetadata\": {\"orgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"shortName\": \"eclipse\", \"dateUpdated\": \"2026-07-14T08:51:30.527Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-6790\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-14T12:20:35.130Z\", \"dateReserved\": \"2026-04-21T13:47:52.520Z\", \"assignerOrgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"datePublished\": \"2026-07-14T08:51:30.527Z\", \"assignerShortName\": \"eclipse\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…