Cyber Resilience

CVE-2026-5795

High

Published: 08 April 2026

Published
08 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 9.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5795 is a high-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability in Eclipse Jetty. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5795 is a vulnerability in Eclipse Jetty's JASPIAuthenticator class, where authentication checks set two ThreadLocal variables that are not cleared under certain early return conditions. This allows a subsequent request processed on the same thread to inherit those ThreadLocal values, resulting in broken access control and privilege escalation. The issue is associated with CWE-226 (Sensitive Information in Resource Not Removed Before Reuse) and CWE-287 (Improper Authentication), with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

A remote, unauthenticated attacker with network access can exploit this vulnerability, though it requires high attack complexity. Successful exploitation enables the attacker to inherit authentication context from prior requests, leading to privilege escalation, high confidentiality impact through unauthorized data access, and high integrity impact through unauthorized modifications, without affecting availability.

Advisories and further details are available in the Jetty project's GitHub security advisory at https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436chttps:// and the Eclipse security issue tracker at https://gitlab.eclipse.org/security/cve-assignment/-/issues/92. The vulnerability was published on 2026-04-08.

EU & UK References

Vulnerability details

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request…

more

using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability affects a public-facing web server (Eclipse Jetty) and directly enables exploitation leading to broken access control and privilege escalation via improper authentication handling and uncleared ThreadLocal state.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2332Same product: Eclipse Jetty
CVE-2026-1605Same product: Eclipse Jetty
CVE-2025-55100Same vendor: Eclipse
CVE-2026-1188Same vendor: Eclipse
CVE-2025-67109Same vendor: Eclipse
CVE-2025-1471Same vendor: Eclipse
CVE-2026-24457Same vendor: Eclipse
CVE-2026-2586Same vendor: Eclipse
CVE-2024-10838Same vendor: Eclipse
CVE-2026-0648Same vendor: Eclipse

Affected Assets

eclipse
jetty
9.4.0 — 9.4.58 · 10.0.0 — 10.0.26 · 11.0.0 — 11.0.26

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-4 directly prevents unauthorized transfer of sensitive authentication context via shared thread resources like uncleared ThreadLocal variables.

prevent

SI-2 requires identification, reporting, and correction of the specific software flaw in Jetty's JASPIAuthenticator that fails to clear ThreadLocal variables.

prevent

AC-3 enforces approved access authorizations, mitigating broken access control from inherited authentication state across requests.

References