{ "threat_severity" : "Important", "public_date" : "2026-04-08T13:32:28Z", "bugzilla" : { "description" : "org.eclipse.jetty.ee10/jetty-ee10: early return from the JASPIAuthenticator class without clearing ThreadLocal variables", "id" : "2456519", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2456519" }, "cvss3" : { "cvss3_base_score" : "7.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-226", "details" : [ "A flaw was found in Eclipse Jetty. The `JASPIAuthenticator` class is responsible for handling authentication checks. During these checks, the class sets two ThreadLocal variables to store authentication state. Under certain conditions, the authentication process can return early without properly clearing the ThreadLocal variables, allowing a subsequent request to inherit the un-cleared ThreadLocal values. This issue can cause broken access control, authentication bypass, privilege escalation and data breaches." ], "statement" : "This vulnerability is only exploitable when `JASPIAuthenticator` class returns early and a subsequent request inherits the un-cleared ThreadLocal values. This requires a new request to be assigned the exact same recycled thread, increasing the complexity of exploitation. Due to these reasons, this flaw has been rated with an important severity.", "affected_release" : [ { "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17668", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18", "package" : "jetty-ee10-annotations" }, { "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17668", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18", "package" : "jetty-ee10-apache-jsp" }, { "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17668", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18", "package" : "jetty-ee10-plus" }, { "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17668", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18", "package" : "jetty-ee10-servlet" }, { "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17668", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18", "package" : "jetty-ee10-servlets" }, { "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17668", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18", "package" : "jetty-ee10-webapp" } ], "package_state" : [ { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Affected", "package_name" : "jetty-ee10-servlet", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Affected", "package_name" : "jetty-ee10-webapp", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-servlet", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-annotations", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-apache-jsp", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-cdi", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-fcgi-proxy", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-glassfish-jstl", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-home", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-jaspi", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-jndi", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-jspc-maven-plugin", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-maven-plugin", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-plus", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-proxy", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-quickstart", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-servlet", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-servlets", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "jetty-ee10-webapp", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-annotations", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-apache-jsp", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-cdi", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-fcgi-proxy", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-glassfish-jstl", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-home", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-jaspi", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-jndi", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-jspc-maven-plugin", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-maven-plugin", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-plus", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-proxy", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-quickstart", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-servlet", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-servlets", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "jetty-ee10-webapp", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/openvsx-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/pluginregistry-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Affected", "package_name" : "jetty-ee10-servlet", "cpe" : "cpe:/a:redhat:amq_streams:3" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Affected", "package_name" : "jetty-ee10-servlets", "cpe" : "cpe:/a:redhat:amq_streams:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-5795\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5795\nhttps://github.com/advisories/GHSA-gc59-r5jq-98qw" ], "name" : "CVE-2026-5795", "mitigation" : { "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "lang" : "en:us" }, "csaw" : false }