GHSA-r7p8-xq5m-436c

Suggest an improvement
Source
https://github.com/advisories/GHSA-r7p8-xq5m-436c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r7p8-xq5m-436c
Aliases
  • CVE-2026-5795
Downstream
Published
2026-04-14T00:06:27Z
Modified
2026-04-14T00:29:51.298652Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables
Details

Description (as reported)

A security vulnerability has been identified in Jetty's JaspiAuthenticator.java.

The root cause is a failure to consistently clear authentication metadata stored in ThreadLocal during certain error or incomplete authentication flows. Specifically, after a GroupPrincipalCallback is persisted into the ThreadLocal, the authentication process may exit prematurely — before the ThreadLocal storage is cleared — if a mandatory CallerPrincipalCallback is missing or an exception occurs. This allows a subsequent, unprivileged user processed by the same worker thread to inherit these residual security roles, leading to Broken Access Control and Privilege Escalation.

See also attached PDF.

Impact

An unauthenticated user may gain ungrated privileges from a previous request (privilege escalation).

Patches

No patches yet.

Workarounds

Do not use Jetty's JASPI.

Database specific 
{
    "github_reviewed_at": "2026-04-14T00:06:27Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-226",
        "CWE-287"
    ]
}
References

Affected packages

Maven
org.eclipse.jetty.ee11:jetty-ee11-jaspi

Package

Name
org.eclipse.jetty.ee11:jetty-ee11-jaspi
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.ee11/jetty-ee11-jaspi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.1.0
Fixed
12.1.8

Affected versions

12.*
12.1.0
12.1.1
12.1.2
12.1.3
12.1.4
12.1.5
12.1.6
12.1.7

Database specific

last_known_affected_version_range 
"<= 12.1.7"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json"
org.eclipse.jetty.ee10:jetty-ee10-jaspi

Package

Name
org.eclipse.jetty.ee10:jetty-ee10-jaspi
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.ee10/jetty-ee10-jaspi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.1.0
Fixed
12.1.8

Affected versions

12.*
12.1.0
12.1.1
12.1.2
12.1.3
12.1.4
12.1.5
12.1.6
12.1.7

Database specific

last_known_affected_version_range 
"<= 12.1.7"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json"
org.eclipse.jetty.ee9:jetty-ee9-jaspi

Package

Name
org.eclipse.jetty.ee9:jetty-ee9-jaspi
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.ee9/jetty-ee9-jaspi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.1.0
Fixed
12.1.8

Affected versions

12.*
12.1.0
12.1.1
12.1.2
12.1.3
12.1.4
12.1.5
12.1.6
12.1.7

Database specific

last_known_affected_version_range 
"<= 12.1.7"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json"
org.eclipse.jetty.ee8:jetty-ee8-jaspi

Package

Name
org.eclipse.jetty.ee8:jetty-ee8-jaspi
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-jaspi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.1.0
Fixed
12.1.8

Affected versions

12.*
12.1.0
12.1.1
12.1.2
12.1.3
12.1.4
12.1.5
12.1.6
12.1.7

Database specific

last_known_affected_version_range 
"<= 12.1.7"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json"
org.eclipse.jetty.ee11:jetty-ee11-jaspi

Package

Name
org.eclipse.jetty.ee11:jetty-ee11-jaspi
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.ee11/jetty-ee11-jaspi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
12.0.34

Database specific

last_known_affected_version_range 
"<= 12.0.33"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json"
org.eclipse.jetty.ee10:jetty-ee10-jaspi

Package

Name
org.eclipse.jetty.ee10:jetty-ee10-jaspi
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.ee10/jetty-ee10-jaspi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
12.0.34

Affected versions

12.*
12.0.0
12.0.1
12.0.2
12.0.3
12.0.4
12.0.5
12.0.6
12.0.7
12.0.8
12.0.9
12.0.10
12.0.11
12.0.12
12.0.13
12.0.14
12.0.15
12.0.16
12.0.17
12.0.18
12.0.19
12.0.20
12.0.21
12.0.22
12.0.23
12.0.24
12.0.25
12.0.26
12.0.27
12.0.28
12.0.29
12.0.30
12.0.31
12.0.32
12.0.33

Database specific

last_known_affected_version_range 
"<= 12.0.33"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json"
org.eclipse.jetty.ee9:jetty-ee9-jaspi

Package

Name
org.eclipse.jetty.ee9:jetty-ee9-jaspi
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.ee9/jetty-ee9-jaspi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
12.0.34

Affected versions

12.*
12.0.0
12.0.1
12.0.2
12.0.3
12.0.4
12.0.5
12.0.6
12.0.7
12.0.8
12.0.9
12.0.10
12.0.11
12.0.12
12.0.13
12.0.14
12.0.15
12.0.16
12.0.17
12.0.18
12.0.19
12.0.20
12.0.21
12.0.22
12.0.23
12.0.24
12.0.25
12.0.26
12.0.27
12.0.28
12.0.29
12.0.30
12.0.31
12.0.32
12.0.33

Database specific

last_known_affected_version_range 
"<= 12.0.33"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json"
org.eclipse.jetty.ee8:jetty-ee8-jaspi

Package

Name
org.eclipse.jetty.ee8:jetty-ee8-jaspi
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty.ee8/jetty-ee8-jaspi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
12.0.34

Affected versions

12.*
12.0.2
12.0.3
12.0.4
12.0.5
12.0.6
12.0.7
12.0.8
12.0.9
12.0.10
12.0.11
12.0.12
12.0.13
12.0.14
12.0.15
12.0.16
12.0.17
12.0.18
12.0.19
12.0.20
12.0.21
12.0.22
12.0.23
12.0.24
12.0.25
12.0.26
12.0.27
12.0.28
12.0.29
12.0.30
12.0.31
12.0.32
12.0.33

Database specific

last_known_affected_version_range 
"<= 12.0.33"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json"
org.eclipse.jetty:jetty-jaspi

Package

Name
org.eclipse.jetty:jetty-jaspi
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-jaspi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.0.29

Affected versions

11.*
11.0.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5
11.0.6
11.0.7
11.0.8
11.0.9
11.0.10
11.0.11
11.0.12
11.0.13
11.0.14
11.0.15
11.0.16
11.0.17
11.0.18
11.0.19
11.0.20
11.0.21
11.0.22
11.0.23
11.0.24
11.0.25
11.0.26

Database specific

last_known_affected_version_range 
"<= 11.0.28"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json"
org.eclipse.jetty:jetty-jaspi

Package

Name
org.eclipse.jetty:jetty-jaspi
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-jaspi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.0.29

Affected versions

10.*
10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.0.6
10.0.7
10.0.8
10.0.9
10.0.10
10.0.11
10.0.12
10.0.13
10.0.14
10.0.15
10.0.16
10.0.17
10.0.18
10.0.19
10.0.20
10.0.21
10.0.22
10.0.23
10.0.24
10.0.25
10.0.26

Database specific

last_known_affected_version_range 
"<= 10.0.28"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json"
org.eclipse.jetty:jetty-jaspi

Package

Name
org.eclipse.jetty:jetty-jaspi
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-jaspi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.4.0
Fixed
9.4.61

Affected versions

9.*
9.4.0.v20161208
9.4.0.v20180619
9.4.1.v20170120
9.4.1.v20180619
9.4.2.v20170220
9.4.2.v20180619
9.4.3.v20170317
9.4.3.v20180619
9.4.4.v20170414
9.4.4.v20180619
9.4.5.v20170502
9.4.5.v20180619
9.4.6.v20170531
9.4.6.v20180619
9.4.7.RC0
9.4.7.v20170914
9.4.7.v20180619
9.4.8.v20171121
9.4.8.v20180619
9.4.9.v20180320
9.4.10.RC0
9.4.10.RC1
9.4.10.v20180503
9.4.11.v20180605
9.4.12.RC0
9.4.12.RC1
9.4.12.RC2
9.4.12.v20180830
9.4.13.v20181111
9.4.14.v20181114
9.4.15.v20190215
9.4.16.v20190411
9.4.17.v20190418
9.4.18.v20190429
9.4.19.v20190610
9.4.20.v20190813
9.4.21.v20190926
9.4.22.v20191022
9.4.23.v20191118
9.4.24.v20191120
9.4.25.v20191220
9.4.26.v20200117
9.4.27.v20200227
9.4.28.v20200408
9.4.29.v20200521
9.4.30.v20200611
9.4.31.v20200723
9.4.32.v20200930
9.4.33.v20201020
9.4.34.v20201102
9.4.35.v20201120
9.4.36.v20210114
9.4.37.v20210219
9.4.38.v20210224
9.4.39.v20210325
9.4.40.v20210413
9.4.41.v20210516
9.4.42.v20210604
9.4.43.v20210629
9.4.44.v20210927
9.4.45.v20220203
9.4.46.v20220331
9.4.47.v20220610
9.4.48.v20220622
9.4.49.v20220914
9.4.50.v20221201
9.4.51.v20230217
9.4.52.v20230823
9.4.53.v20231009
9.4.54.v20240208
9.4.55.v20240627
9.4.56.v20240826
9.4.57.v20241219
9.4.58.v20250814

Database specific

last_known_affected_version_range 
"<= 9.4.60"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r7p8-xq5m-436c/GHSA-r7p8-xq5m-436c.json"