CVE-2026-2332

🗓️ 14 Apr 2026 10:59:10Reported by eclipseType

cve🔗 web.nvd.nist.gov📰️ 1 Media mentions👁 203 Views🌐 WEB

Jetty HTTP/1.1 parser vulnerability enables request smuggling via quoted-string chunk extensions.

Reporter	Title	Published	Views	Family All 127
IBM Security Bulletins	Security Bulletin: IBM Operational Decision Manager - Multiple CVEs addressed related to SOLR and its dependencies (such as Jetty) affecting ODM-9.0.0 and older versions	19 Jun 202620:46	–	ibm
IBM Security Bulletins	Security Bulletin: MongoDB Enterprised Advanced affected by: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') (CVE-2026-2332)	16 Jun 202614:11	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to issues in Jetty	3 Jun 202615:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling External Authentication Server is vulnerable to multiple issues	24 Jun 202606:08	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Rational Developer for i (CVE-2026-1605, CVE-2026-29063, CVE-2025-11143, CVE-2026-2332, CVE-2025-15599, CVE-2026-0540)	27 Apr 202615:06	–	ibm
IBM Security Bulletins	Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is affected by a HTTP Request/Response Smuggling Vulnerability in Eclipse Jetty (CVE-2026-2332)	19 Jun 202614:47	–	ibm
IBM Security Bulletins	Security Bulletin: SPSS Collaboration and Deployment Services is affected by multiple vulnerabilities in Eclipse Jetty	11 Jun 202616:23	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Control Center is affected by vulnerabilities in jetty-http (CVE-2026-2332)	4 May 202616:07	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Tivoli Network Manager IP Edition	11 Jun 202612:09	–	ibm
ATTACKERKB	CVE-2026-2332	14 Apr 202610:59	–	attackerkb

NVD

Node

eclipse jettyRange9.4.0–9.4.60

eclipse jettyRange10.0.0–10.0.28

eclipse jettyRange11.0.0–11.0.28

eclipse jettyRange12.0.0–12.0.33

eclipse jettyRange12.1.0–12.1.7

[
  {
    "vendor": "Eclipse Foundation",
    "product": "Eclipse Jetty",
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "packageName": "pkg://maven/org.eclipse.jetty/jetty-http",
    "repo": "https://github.com/jetty/jetty.project",
    "versions": [
      {
        "status": "affected",
        "version": "12.1.0",
        "lessThanOrEqual": "12.1.6",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "12.0.0",
        "lessThanOrEqual": "12.0.32",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "11.0.0",
        "lessThanOrEqual": "11.0.27",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "10.0.0",
        "lessThanOrEqual": "10.0.27",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "9.4.0",
        "lessThanOrEqual": "9.4.59",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
gitlab	www.gitlab.eclipse.org/security/cve-assignment/-/issues/89
github	www.github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf

Parameter	Position	Path	Description	CWE
ext	request body	/	HTTP/1.1 request smuggling via chunked transfer with chunk extensions (e.g., 1;ext="val...) that allows injection of a nested request.	CWE-444

17 Jun 2026 10:30Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.17.4 - 9.1

EPSS0.00523

SSVC

CWE-444