CVE-2026-5795
Summary
| CVE | CVE-2026-5795 |
|---|---|
| State | PUBLISHED |
| Assigner | eclipse |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-08 14:16:32 UTC |
| Updated | 2026-07-02 12:17:43 UTC |
| Description | In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation. |
Risk And Classification
Primary CVSS: v3.1 7.4 HIGH from ADP
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS: 0.000200000 probability, percentile 0.054130000 (date 2026-04-14)
Problem Types: CWE-226 | CWE-287 | CWE-226 CWE-226 Sensitive information in resource not removed before reuse | CWE-287 CWE-287 Improper Authentication | CWE-226 Sensitive Information in Resource Not Removed Before Reuse
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | [email protected] | Secondary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | CNA | CVSS | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Eclipse Foundation | Eclipse Jetty | affected 12.1.0 12.1.7 semver | Not specified |
| CNA | Eclipse Foundation | Eclipse Jetty | affected 12.0.0 12.0.33 semver | Not specified |
| CNA | Eclipse Foundation | Eclipse Jetty | affected 11.0.0 11.0.28 semver | Not specified |
| CNA | Eclipse Foundation | Eclipse Jetty | affected 10.0.0 10.0.28 semver | Not specified |
| CNA | Eclipse Foundation | Eclipse Jetty | affected 9.4.0 9.4.60 semver | Not specified |
| ADP | Red Hat | HawtIO HawtIO 4.4.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Offline Knowledge Portal 1.2.7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 4.18.1 For Spring Boot 3.5.14 | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Data Grid 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:28573 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17668 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25089 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5795.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-5795 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| gitlab.eclipse.org/security/cve-assignment/-/issues/92 | [email protected] | gitlab.eclipse.org | Broken Link |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436cht... | [email protected] | github.com | Broken Link |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: https://github.com/HRsGIT (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-04-08T14:01:02.911Z | Reported to Red Hat. |
| ADP | 2026-04-08T13:32:28.935Z | Made public. |
Solutions
ADP: RHSA-2026:25089: HawtIO HawtIO 4.4.0
ADP: RHSA-2026:28573: Red Hat Offline Knowledge Portal 1.2.7
ADP: RHSA-2026:17668: Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14
Workarounds
ADP: Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.