CVE-2026-2332
Published: 14 April 2026
Summary
CVE-2026-2332 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Eclipse Jetty. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the flaw in Eclipse Jetty's HTTP/1.1 parser that fails to properly handle chunk extensions with unterminated quoted strings, preventing request smuggling.
Validates information inputs such as malformed chunked HTTP requests to reject those exploiting invalid chunk extension parsing.
Enforces boundary protection via proxies or WAFs that normalize HTTP/1.1 parsing, blocking smuggled requests from reaching the vulnerable Jetty server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables exploitation of a public-facing HTTP parser via request smuggling (CWE-444).
NVD Description
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of…
more
treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
Deeper analysisAI
CVE-2026-2332 affects the HTTP/1.1 parser in Eclipse Jetty, enabling HTTP request smuggling when chunk extensions are used in chunked transfer-encoded requests. The vulnerability arises because Jetty terminates chunk extension parsing upon encountering \r\n inside quoted strings rather than treating it as an error. This flaw is similar to "funky chunks" techniques documented at https://w4ke.info/2025/06/18/funky-chunks.html and https://w4ke.info/2025/10/29/funky-chunks-2.html. For example, a malformed request like POST / HTTP/1.1 with Transfer-Encoding: chunked, a chunk "1;ext=\"val\nX\n0", followed by a smuggled "GET /smuggled HTTP/1.1\n...", allows injection of additional requests.
Remote network attackers can exploit this without privileges or user interaction, though it requires high attack complexity. By crafting a chunked POST request with an unclosed quoted string in the chunk extension, the attacker causes the parser to prematurely end processing, smuggling a subsequent request such as a GET to a target endpoint. This leads to inconsistent interpretation of HTTP requests (CWE-444), with potential for high confidentiality and integrity impacts (CVSS 7.4: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), such as bypassing security controls or accessing sensitive data.
Official advisories provide mitigation guidance, including the Jetty project security advisory at https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf and the Eclipse security issue at https://gitlab.eclipse.org/security/cve-assignment/-/issues/89, published on 2026-04-14.
Details
- CWE(s)