{"api_version":"1","generated_at":"2026-07-15T03:58:04+00:00","cve":"CVE-2026-8384","urls":{"html":"https://cve.report/CVE-2026-8384","api":"https://cve.report/api/cve/CVE-2026-8384.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-8384","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-8384"},"summary":{"title":"CVE-2026-8384","description":"In Eclipse Jetty, an HTTP URI of this form:\n\n\n\n\n\n/public;/../admin/secret.txt\n\n\n\n\n\n\n\n\nresults in an unresolved path of:\n\n\n\n\n\n/public/../admin/secret.txt\n\n\n\n\n\n\n\n\ninstead of the expected:\n\n\n\n\n\n/admin/secret.txt\n\n\n\n\n\n\n\n\nJetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).\n\n\n\n\nHowever, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.","state":"PUBLISHED","assigner":"eclipse","published_at":"2026-07-14 09:16:42","updated_at":"2026-07-14 18:39:51"},"problem_types":["CWE-647","CWE-647 CWE-647"],"metrics":[{"version":"3.1","source":"emo@eclipse.org","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://gitlab.eclipse.org/security/cve-assignment/-/work_items/108","name":"https://gitlab.eclipse.org/security/cve-assignment/-/work_items/108","refsource":"emo@eclipse.org","tags":["Vendor Advisory","Exploit"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-8384","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8384","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Eclipse Foundation","product":"Eclipse Jetty","version":"affected 12.0.0 12.0.34 semver","platforms":[]},{"source":"CNA","vendor":"Eclipse Foundation","product":"Eclipse Jetty","version":"affected 12.1.0 12.1.8 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"https://github.com/jweny","lang":"en"},{"source":"CNA","value":"https://github.com/lworld0x00","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"8384","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"eclipse","cpe5":"jetty","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"8384","cve":"CVE-2026-8384","epss":"0.001910000","percentile":"0.089540000","score_date":"2026-07-14","updated_at":"2026-07-15 00:14:55"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-8384","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-14T12:18:08.648859Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-14T12:18:29.831Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Eclipse Jetty","repo":"https://github.com/jetty/jetty.project","vendor":"Eclipse Foundation","versions":[{"lessThanOrEqual":"12.0.34","status":"affected","version":"12.0.0","versionType":"semver"},{"lessThanOrEqual":"12.1.8","status":"affected","version":"12.1.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"https://github.com/jweny"},{"lang":"en","type":"finder","value":"https://github.com/lworld0x00"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>In Eclipse Jetty, an HTTP URI of this form:</p>\n<div>\n<pre><code>/public;/../admin/secret.txt</code></pre>\n\n</div>\n<p>results in an unresolved path of:</p>\n<div>\n<pre><code>/public/../admin/secret.txt</code></pre>\n\n</div>\n<p>instead of the expected:</p>\n<div>\n<pre><code>/admin/secret.txt</code></pre>\n\n</div>\n<p>Jetty itself is not affected, as it will not serve the <code>secret.txt</code> file because it will not pass the alias checker (only resolved resources are served).</p>\n<p>However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.</p>"}],"value":"In Eclipse Jetty, an HTTP URI of this form:\n\n\n\n\n\n/public;/../admin/secret.txt\n\n\n\n\n\n\n\n\nresults in an unresolved path of:\n\n\n\n\n\n/public/../admin/secret.txt\n\n\n\n\n\n\n\n\ninstead of the expected:\n\n\n\n\n\n/admin/secret.txt\n\n\n\n\n\n\n\n\nJetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).\n\n\n\n\nHowever, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-647","description":"CWE-647","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-14T08:56:17.525Z","orgId":"e51fbebd-6053-4e49-959f-1b94eeb69a2c","shortName":"eclipse"},"references":[{"url":"https://gitlab.eclipse.org/security/cve-assignment/-/work_items/108"}],"x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"e51fbebd-6053-4e49-959f-1b94eeb69a2c","assignerShortName":"eclipse","cveId":"CVE-2026-8384","datePublished":"2026-07-14T08:56:17.525Z","dateReserved":"2026-05-12T10:01:35.472Z","dateUpdated":"2026-07-14T12:18:29.831Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-14 09:16:42","lastModifiedDate":"2026-07-14 18:39:51","problem_types":["CWE-647","CWE-647 CWE-647"],"metrics":{"cvssMetricV31":[{"source":"emo@eclipse.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-14T12:18:08.648859Z","id":"CVE-2026-8384","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*","versionStartIncluding":"12.0.0","versionEndExcluding":"12.0.35","matchCriteriaId":"655AA819-8D55-40C7-BCF3-F7D2AC085C41"},{"vulnerable":true,"criteria":"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*","versionStartIncluding":"12.1.0","versionEndExcluding":"12.1.9","matchCriteriaId":"FF2AE57E-99D5-4181-A5B6-77A5FFBEB3F1"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"8384","Ordinal":"1","Title":"CVE-2026-8384","CVE":"CVE-2026-8384","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"8384","Ordinal":"1","NoteData":"In Eclipse Jetty, an HTTP URI of this form:\n\n\n\n\n\n/public;/../admin/secret.txt\n\n\n\n\n\n\n\n\nresults in an unresolved path of:\n\n\n\n\n\n/public/../admin/secret.txt\n\n\n\n\n\n\n\n\ninstead of the expected:\n\n\n\n\n\n/admin/secret.txt\n\n\n\n\n\n\n\n\nJetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).\n\n\n\n\nHowever, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.","Type":"Description","Title":"CVE-2026-8384"}]}}}