Eclipse Jetty JASPIAuthenticator ThreadLocal Privilege Escalation (CVE-2026-5795)
Eclipse Jetty is vulnerable to broken access control and privilege escalation due to improper handling of ThreadLocal variables within the JASPIAuthenticator, potentially leading to unauthorized access.
CVE-2026-5795 describes a vulnerability in Eclipse Jetty related to improper handling of ThreadLocal variables within the JASPIAuthenticator class. When initiating authentication checks, the JASPIAuthenticator sets two ThreadLocal variables. Under specific conditions, the code prematurely returns without clearing these ThreadLocal variables. As a result, a subsequent request processed by the same thread inherits these ThreadLocal values from the previous request, leading to broken access control and privilege escalation. This vulnerability could allow an attacker to gain unauthorized access or elevated privileges within the Jetty application.
Attack Chain
- An unauthenticated user sends an initial request to the Jetty server.
- The
JASPIAuthenticatorclass initiates authentication checks for the request. - The
JASPIAuthenticatorsets ThreadLocal variables to store authentication-related data. - Due to specific conditions (e.g., an error or incomplete authentication), the
JASPIAuthenticatorreturns early without clearing the ThreadLocal variables. - A subsequent request from a different user (or even the same user) is processed by the same thread.
- The
JASPIAuthenticatorreuses the thread, inheriting the stale ThreadLocal values from the previous request. - The inherited ThreadLocal values bypass or alter the authentication checks, granting the subsequent request unauthorized access.
- The attacker gains elevated privileges or access to sensitive data due to the broken access control.
Impact
Successful exploitation of this vulnerability (CVE-2026-5795) results in broken access control and privilege escalation within the Eclipse Jetty server. An attacker could potentially gain unauthorized access to sensitive resources, perform actions on behalf of other users, or elevate their privileges to an administrative level. The exact impact depends on the specific configuration of the Jetty server and the resources it protects.
Recommendation
- Apply the patch or upgrade to a version of Eclipse Jetty that addresses CVE-2026-5795 to remediate the vulnerability.
- Monitor web server logs for anomalies related to authentication, particularly around the
JASPIAuthenticatorclass, to detect potential exploitation attempts. - Implement robust authentication and authorization mechanisms in your Jetty applications to minimize the impact of potential access control bypasses.
Detection coverage 2
Detect Jetty Authentication Errors
mediumDetects HTTP 500 errors potentially related to authentication failures within Jetty, which could precede or be a symptom of CVE-2026-5795 exploitation.
Detect Multiple Authentication Attempts from Single IP
lowDetects a high number of failed authentication attempts from a single IP address within a short period, indicating potential brute-force or exploitation attempts against Jetty's authentication mechanism.
Detection queries are available on the platform. Get full rules →