CVE-2026-6790
Summary
| CVE | CVE-2026-6790 |
|---|---|
| State | PUBLISHED |
| Assigner | eclipse |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-14 09:16:41 UTC |
| Updated | 2026-07-14 18:35:54 UTC |
| Description | In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present). This was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112). This mismatch can cause a number of problems that may be classified as vulnerabilities such as: * URI constructions (for example, for redirects -- this is typical for login pages) * Virtual host selection * Reverse proxying * Misleading logs * Etc. Given that the latest RFCs require that request authority and Host header must match, Jetty should enforce this invariant. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.001960000 probability, percentile 0.095190000 (date 2026-07-14)
Problem Types: CWE-20 | CWE-20 CWE-20
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | CNA | CVSS | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Eclipse Foundation | Eclipse Jetty | affected 9.4.0 9.4.60 semver | Not specified |
| CNA | Eclipse Foundation | Eclipse Jetty | affected 10.0.0 10.0.28 semver | Not specified |
| CNA | Eclipse Foundation | Eclipse Jetty | affected 11.0.0 11.0.28 semver | Not specified |
| CNA | Eclipse Foundation | Eclipse Jetty | affected 12.0.0 12.0.34 semver | Not specified |
| CNA | Eclipse Foundation | Eclipse Jetty | affected 12.1.0 12.1.8 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| gitlab.eclipse.org/security/cve-assignment/-/work_items/99 | [email protected] | gitlab.eclipse.org | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.