CVE-2026-5795

Description

### Description (as reported) A security vulnerability has been identified in Jetty's `JaspiAuthenticator.java`. The root cause is a failure to consistently clear authentication metadata stored in `ThreadLocal` during certain error or incomplete authentication flows. Specifically, after a `GroupPrincipalCallback` is persisted into the `ThreadLocal`, the authentication process may exit prematurely — before the `ThreadLocal` storage is cleared — if a mandatory `CallerPrincipalCallback` is missing or an exception occurs. This allows a subsequent, unprivileged user processed by the same worker thread to inherit these residual security roles, leading to Broken Access Control and Privilege Escalation. See also attached PDF. ### Impact An unauthenticated user may gain ungrated privileges from a previous request (privilege escalation). ### Patches No patches yet. ### Workarounds Do not use Jetty's JASPI.

Affected packages (8)

• Debian/jetty12from 0
• Debian/jetty9from 0
• Maven/org.eclipse.jetty.ee10:jetty-ee10>= 12.1.0, < 12.1.7
• Maven/org.eclipse.jetty.ee10:jetty-ee10-jaspi>= 12.1.0, < 12.1.8
• Maven/org.eclipse.jetty.ee11:jetty-ee11-jaspi>= 12.1.0, < 12.1.8
• Maven/org.eclipse.jetty.ee8:jetty-ee8-jaspi>= 12.1.0, < 12.1.8
• Maven/org.eclipse.jetty.ee9:jetty-ee9-jaspi>= 12.1.0, < 12.1.8
• Maven/org.eclipse.jetty:jetty-jaspi>= 11.0.0, < 11.0.29

CVSS scores

References (6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-5795
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-5795
• PATCHhttps://github.com/jetty/jetty.project
• WEBhttps://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436c
• WEBhttps://github.com/user-attachments/files/26118760/JaspiAuthenticator_Security_Report.pdf
• WEBhttps://gitlab.eclipse.org/security/cve-assignment/-/issues/92