Platform
java
Component
org.eclipse.jetty.ee11:jetty-ee11-jaspi
Fixed in
12.1.8
12.0.34
11.0.29
10.0.29
9.4.61
12.1.7
CVE-2026-5795 is an authentication bypass vulnerability affecting Jetty EE11 Jaspi versions 12.1.0 through 12.1.7. This flaw arises from inconsistent clearing of authentication metadata stored in ThreadLocal variables during error conditions. Successful exploitation could allow an attacker to impersonate users and gain unauthorized access to protected resources. A fix is available in version 12.1.8.
The impact of CVE-2026-5795 is significant, as it allows an attacker to bypass authentication mechanisms. An attacker could exploit this vulnerability to impersonate legitimate users, gaining access to their privileges and data. This could lead to data breaches, unauthorized modifications, or complete compromise of the application. The vulnerability's reliance on specific error conditions might make exploitation slightly more complex, but the potential impact remains high. This bypass could be particularly damaging in environments where Jetty is used as a core component of a larger application or web service.
CVE-2026-5795 was publicly disclosed on 2026-04-14. Its severity is rated HIGH with a CVSS score of 7.4. Currently, there are no publicly available exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog as of this writing. The vulnerability's reliance on specific error conditions may limit its immediate exploitability, but it remains a critical security concern.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5795 is to upgrade to Jetty EE11 Jaspi version 12.1.8 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective, carefully reviewing and tightening authentication policies, particularly around mandatory callback requirements, might offer some limited protection. Thoroughly test any configuration changes in a non-production environment before deploying them to production. After upgrading, confirm the fix by attempting authentication with a user account and verifying that the session is properly managed and cleared.
Update Eclipse Jetty to version 9.4.61 or later, 10.0.29 or later, 11.0.29 or later, 12.0.34 or later, or 12.1.8 or later to mitigate the vulnerability. This update corrects the issue by properly clearing ThreadLocal variables after initial authentication checks, thus preventing privilege escalation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5795 is a security vulnerability in Jetty EE11 Jaspi allowing attackers to bypass authentication due to improper ThreadLocal clearing, potentially leading to unauthorized access.
You are affected if you are using Jetty EE11 Jaspi versions 12.1.0 through 12.1.7. Upgrade to version 12.1.8 or later to mitigate the risk.
The recommended fix is to upgrade to Jetty EE11 Jaspi version 12.1.8 or a later version that addresses this vulnerability.
As of now, there are no publicly known active exploits or campaigns targeting CVE-2026-5795, but it remains a critical security concern.
Refer to the official Eclipse Jetty project website and security advisories for the most up-to-date information regarding CVE-2026-5795.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.