Cyber Resilience

CVE-2026-2332

HighPublic PoCUpdated

Published: 14 April 2026

Published
14 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0052 40.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2332 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Eclipse Jetty. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-2332 affects the HTTP/1.1 parser in Eclipse Jetty, enabling HTTP request smuggling when chunk extensions are used in chunked transfer-encoded requests. The vulnerability arises because Jetty terminates chunk extension parsing upon encountering \r\n inside quoted strings rather than treating it as an error. This flaw is similar to "funky chunks" techniques documented at https://w4ke.info/2025/06/18/funky-chunks.html and https://w4ke.info/2025/10/29/funky-chunks-2.html. For example, a malformed request like POST / HTTP/1.1 with Transfer-Encoding: chunked, a chunk "1;ext=\"val\nX\n0", followed by a smuggled "GET /smuggled HTTP/1.1\n...", allows injection of additional requests.

Remote network attackers can exploit this without privileges or user interaction, though it requires high attack complexity. By crafting a chunked POST request with an unclosed quoted string in the chunk extension, the attacker causes the parser to prematurely end processing, smuggling a subsequent request such as a GET to a target endpoint. This leads to inconsistent interpretation of HTTP requests (CWE-444), with potential for high confidentiality and integrity impacts (CVSS 7.4: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), such as bypassing security controls or accessing sensitive data.

Official advisories provide mitigation guidance, including the Jetty project security advisory at https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf and the Eclipse security issue at https://gitlab.eclipse.org/security/cve-assignment/-/issues/89, published on 2026-04-14.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of…

more

treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Directly enables exploitation of a public-facing HTTP parser via request smuggling (CWE-444).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5795Same product: Eclipse Jetty
CVE-2026-1605Same product: Eclipse Jetty
CVE-2026-1188Same vendor: Eclipse
CVE-2025-67109Same vendor: Eclipse
CVE-2025-55100Same vendor: Eclipse
CVE-2026-40562Shared CWE-444
CVE-2026-41873Shared CWE-444
CVE-2026-23527Shared CWE-444
CVE-2026-2833Shared CWE-444
CVE-2026-2586Same vendor: Eclipse

Affected Assets

eclipse
jetty
9.4.0 — 9.4.60 · 10.0.0 — 10.0.28 · 11.0.0 — 11.0.28

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the flaw in Eclipse Jetty's HTTP/1.1 parser that fails to properly handle chunk extensions with unterminated quoted strings, preventing request smuggling.

prevent

Validates information inputs such as malformed chunked HTTP requests to reject those exploiting invalid chunk extension parsing.

prevent

Enforces boundary protection via proxies or WAFs that normalize HTTP/1.1 parsing, blocking smuggled requests from reaching the vulnerable Jetty server.

References