cvedb.io
CVE-2026-5795
HIGH · CVSS 7.4
EPSS exploitation probability: 0%
Published 2026-04-08T14:16:32.633 · Last modified 2026-07-02T12:17:43.103

Summary

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

Affected products

eclipse — jetty

Does this affect you?

Add your gear to cvedb and we'll alert you only when eclipse ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.