Fabre

#1133374 jetty9: CVE-2026-5795 #1133374

Package:: jetty9

Source:: jetty9

Submitter:: Salvatore Bonaccorso

Date:: 2026-04-12 15:19:02 UTC

Severity:: normal

Tags:

#1133374#5

Date:: 2026-04-12 15:16:15 UTC

From:

To:

Hi,

The following vulnerability was published for jetty.

CVE-2026-5795[0]:
| In Eclipse Jetty, the class JASPIAuthenticator initiates the
| authentication checks, which set two ThreadLocal variable.   Upon
| returning from the initial checks, there are conditions that cause
| an early return from the JASPIAuthenticator code without clearing
| those ThreadLocals.   A subsequent request using the same thread
| inherits the ThreadLocal values, leading to a broken access control
| and privilege escalation.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-5795
https://www.cve.org/CVERecord?id=CVE-2026-5795
[1] https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436c

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1133374 jetty9: CVE-2026-5795 #1133374

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)