org.eclipse.jetty.ee10/jetty-ee10: early return from the JASPIAuthenticator class without clearing ThreadLocal variables

A flaw was found in Eclipse Jetty. The JASPIAuthenticator class is responsible for handling authentication checks. During these checks, the class sets two ThreadLocal variables to store authentication state. Under certain conditions, the authentication process can return early without properly...

Security update for jetty-minimal

This update for jetty-minimal fixes the following issues: CVE-2026-2332: In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques bsc1262115. CVE-2026-5795: Fixed JaspiAuthenticator broken access control...

Important: jetty

Issue Overview: In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A...

Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables

Description as reported A security vulnerability has been identified in Jetty's JaspiAuthenticator.java. The root cause is a failure to consistently clear authentication metadata stored in ThreadLocal during certain error or incomplete authentication flows. Specifically, after a...

EUVD-2026-20473

Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables...

CVE-2026-5795

A flaw was found in Eclipse Jetty. The JASPIAuthenticator class is responsible for handling authentication checks. During these checks, the class sets two ThreadLocal variables to store authentication state. Under certain conditions, the authentication process can return early without properly...

Duplicate Advisory: Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r7p8-xq5m-436c. This link is maintained to preserve external references. Original Description In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variabl...

CVE-2026-5795

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent reques...

CVE-2026-5795

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent reques...

Sensitive Information in Resource Not Removed Before Reuse

Overview Affected versions of this package are vulnerable to Sensitive Information in Resource Not Removed Before Reuse in the JASPIAuthenticator. An attacker can gain unauthorized access or escalate privileges by exploiting residual ThreadLocal values that are not cleared after authentication...

Sensitive Information in Resource Not Removed Before Reuse

Overview Affected versions of this package are vulnerable to Sensitive Information in Resource Not Removed Before Reuse in the JASPIAuthenticator. An attacker can gain unauthorized access or escalate privileges by exploiting residual ThreadLocal values that are not cleared after authentication...

CVE-2026-5795

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent reques...

CVE-2026-5795

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent reques...

PT-2026-31308

Name of the Vulnerable Software and Affected Versions Eclipse Jetty affected versions not specified Description Eclipse Jetty's JASPIAuthenticator class sets two ThreadLocal variables during authentication checks. Under certain conditions, the code returns early without clearing these ThreadLocal...

Eclipse Jetty 授权问题漏洞

Eclipse Jetty is an open-source Java-based web server and Java Servlet container developed by the Eclipse Foundation. There is an authorization issue vulnerability in Eclipse Jetty, which stems from the fact that the JASPIAuthenticator does not clear the ThreadLocal variable. This can cause...