GHSA-R7P8-XQ5M-436C

Vulnerability from github – Published: 2026-04-14 00:06 – Updated: 2026-04-14 00:06
VLAI?
Summary
Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables
Details

Description (as reported)

A security vulnerability has been identified in Jetty's JaspiAuthenticator.java.

The root cause is a failure to consistently clear authentication metadata stored in ThreadLocal during certain error or incomplete authentication flows. Specifically, after a GroupPrincipalCallback is persisted into the ThreadLocal, the authentication process may exit prematurely — before the ThreadLocal storage is cleared — if a mandatory CallerPrincipalCallback is missing or an exception occurs. This allows a subsequent, unprivileged user processed by the same worker thread to inherit these residual security roles, leading to Broken Access Control and Privilege Escalation.

See also attached PDF.

Impact

An unauthenticated user may gain ungrated privileges from a previous request (privilege escalation).

Patches

No patches yet.

Workarounds

Do not use Jetty's JASPI.

Severity ?
7.4 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.1.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.ee11:jetty-ee11-jaspi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.1.0"
            },
            {
              "fixed": "12.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.1.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.ee10:jetty-ee10-jaspi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.1.0"
            },
            {
              "fixed": "12.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.1.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.ee9:jetty-ee9-jaspi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.1.0"
            },
            {
              "fixed": "12.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.1.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.ee8:jetty-ee8-jaspi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.1.0"
            },
            {
              "fixed": "12.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.0.33"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.ee11:jetty-ee11-jaspi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.0.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.0.33"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.ee10:jetty-ee10-jaspi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.0.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.0.33"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.ee9:jetty-ee9-jaspi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.0.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.0.33"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.ee8:jetty-ee8-jaspi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.0.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.28"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-jaspi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.0.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.28"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-jaspi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.4.60"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-jaspi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.4.0"
            },
            {
              "fixed": "9.4.61"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-5795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-226",
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T00:06:27Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Description (as reported)\n\nA security vulnerability has been identified in Jetty\u0027s  `JaspiAuthenticator.java`. \n\nThe root cause is a failure to consistently clear authentication metadata stored in  `ThreadLocal`  during certain error or incomplete authentication flows. \nSpecifically, after a `GroupPrincipalCallback`  is persisted into the  `ThreadLocal`, the authentication process may exit prematurely \u2014 before the  `ThreadLocal`  storage is cleared \u2014 if a mandatory `CallerPrincipalCallback`  is missing or an exception occurs. \nThis allows a subsequent, unprivileged user processed by the same worker thread to inherit these residual security roles, leading to Broken Access Control and Privilege Escalation.\n\nSee also attached PDF.\n\n### Impact\nAn unauthenticated user may gain ungrated privileges from a previous request (privilege escalation).\n\n### Patches\nNo patches yet.\n\n### Workarounds\nDo not use Jetty\u0027s JASPI.",
  "id": "GHSA-r7p8-xq5m-436c",
  "modified": "2026-04-14T00:06:27Z",
  "published": "2026-04-14T00:06:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5795"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jetty/jetty.project"
    },
    {
      "type": "WEB",
      "url": "https://github.com/user-attachments/files/26118760/JaspiAuthenticator_Security_Report.pdf"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/92"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.