Description
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.


Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.


A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
Published: 2026-04-08
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The flaw occurs in Eclipse Jetty’s JASPIAuthenticator class, where thread-local variables used for authentication checks are not cleared when an early return happens. As a result, a subsequent request handled by the same thread inherits stale authentication data, effectively bypassing access controls and allowing an attacker to execute actions with elevated privileges. This represents an authentication bypass and broken access control weakness.

Affected Systems

Any installation of the Eclipse Jetty web server that includes the JASPIAuthenticator component is potentially vulnerable. Specific product and version details are not listed in the advisory, so all supported Jetty releases should be verified for the presence of the issue.

Risk and Exploitability

The advisory assigns a CVSS base score of 7.4, indicating a high impact vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred as remote, relying on HTTP requests sent to the server; an attacker must be able to send multiple requests that are processed on the same worker thread to exploit the thread‑local residue.

Generated by OpenCVE AI on April 8, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Eclipse Jetty update that resolves the JASPIAuthenticator thread‑local clearance bug.
  • If a patch is not yet available, upgrade to a Jetty version that does not include the vulnerable JASPIAuthenticator implementation.
  • Implement monitoring to detect unexpected privilege escalation events and review server logs for anomalous access patterns.
  • Consider configuring the server to use a dedicated thread pool that limits the reuse of worker threads for sequential requests.

Generated by OpenCVE AI on April 8, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gc59-r5jq-98qw Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title ThreadLocal Variable Leak Allows Thread-Based Privilege Escalation in Eclipse Jetty JASPIAuthenticator

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse jetty
Vendors & Products Eclipse
Eclipse jetty

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.
Weaknesses CWE-226
CWE-287
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Eclipse Jetty
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-04-09T03:56:11.784Z

Reserved: 2026-04-08T13:21:06.990Z

Link: CVE-2026-5795

cve-icon Vulnrichment

Updated: 2026-04-08T16:01:58.420Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T14:16:32.633

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-5795

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:30Z

Weaknesses