CVE-2026-5795
Published: 08 April 2026
Summary
CVE-2026-5795 is a high-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability in Eclipse Jetty. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-4 directly prevents unauthorized transfer of sensitive authentication context via shared thread resources like uncleared ThreadLocal variables.
SI-2 requires identification, reporting, and correction of the specific software flaw in Jetty's JASPIAuthenticator that fails to clear ThreadLocal variables.
AC-3 enforces approved access authorizations, mitigating broken access control from inherited authentication state across requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability affects a public-facing web server (Eclipse Jetty) and directly enables exploitation leading to broken access control and privilege escalation via improper authentication handling and uncleared ThreadLocal state.
NVD Description
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request…
more
using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
Deeper analysisAI
CVE-2026-5795 is a vulnerability in Eclipse Jetty's JASPIAuthenticator class, where authentication checks set two ThreadLocal variables that are not cleared under certain early return conditions. This allows a subsequent request processed on the same thread to inherit those ThreadLocal values, resulting in broken access control and privilege escalation. The issue is associated with CWE-226 (Sensitive Information in Resource Not Removed Before Reuse) and CWE-287 (Improper Authentication), with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
A remote, unauthenticated attacker with network access can exploit this vulnerability, though it requires high attack complexity. Successful exploitation enables the attacker to inherit authentication context from prior requests, leading to privilege escalation, high confidentiality impact through unauthorized data access, and high integrity impact through unauthorized modifications, without affecting availability.
Advisories and further details are available in the Jetty project's GitHub security advisory at https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436chttps:// and the Eclipse security issue tracker at https://gitlab.eclipse.org/security/cve-assignment/-/issues/92. The vulnerability was published on 2026-04-08.
Details
- CWE(s)