Fluid Attacks Database

Description

Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables

Description (as reported)

A security vulnerability has been identified in Jetty's JaspiAuthenticator.java.

The root cause is a failure to consistently clear authentication metadata stored in ThreadLocal during certain error or incomplete authentication flows. Specifically, after a GroupPrincipalCallback is persisted into the ThreadLocal, the authentication process may exit prematurely — before the ThreadLocal storage is cleared — if a mandatory CallerPrincipalCallback is missing or an exception occurs. This allows a subsequent, unprivileged user processed by the same worker thread to inherit these residual security roles, leading to Broken Access Control and Privilege Escalation.

See also attached PDF.

Impact

An unauthenticated user may gain ungrated privileges from a previous request (privilege escalation).

Patches

No patches yet.

Workarounds

Do not use Jetty's JASPI.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	jetty9	=9.4.39-3 \|\| =9.4.39-3+deb11u1 \|\| =9.4.39-3+deb11u2 \|\| =9.4.44-1 \|\| =9.4.44-2 \|\| =9.4.44-3 \|\| =9.4.44-4 \|\| =9.4.45-1 \|\| =9.4.46-1 \|\| =9.4.48-1 \|\| =9.4.49-1 \|\| =9.4.49-1.1 \|\| =9.4.50-1 \|\| =9.4.50-1~bpo11+1 \|\| =9.4.50-2 \|\| =9.4.50-3 \|\| =9.4.50-4 \|\| =9.4.50-4+deb11u1 \|\| =9.4.50-4+deb11u2 \|\| =9.4.51-1 \|\| =9.4.51-2 \|\| =9.4.52-1 \|\| =9.4.53-1 \|\| =9.4.54-1 \|\| =9.4.55-1 \|\| =9.4.56-1 \|\| =9.4.57-0+deb11u1 \|\| =9.4.57-0+deb11u2 \|\| =9.4.57-0+deb11u3 \|\| =9.4.57-1 \|\| =9.4.57-1.1 \|\| =9.4.57-1.1~deb12u1 \|\| =9.4.57-1.1~deb13u1 \|\| =9.4.58-1	-
debian 13	jetty9	=9.4.57-1 \|\| =9.4.57-1.1 \|\| =9.4.57-1.1~deb12u1 \|\| =9.4.57-1.1~deb13u1 \|\| =9.4.58-1	-
debian 14	jetty12	=12.0.17-3 \|\| =12.0.17-3.1 \|\| =12.0.17-3.1~deb13u1 \|\| =12.0.32-1 \|\| =12.0.32-2 \|\| =12.0.33-1	-
debian 12	jetty9	=9.4.50-4 \|\| =9.4.50-4+deb12u1 \|\| =9.4.50-4+deb12u2 \|\| =9.4.50-4+deb12u3 \|\| =9.4.51-1 \|\| =9.4.51-2 \|\| =9.4.52-1 \|\| =9.4.53-1 \|\| =9.4.54-1 \|\| =9.4.55-1 \|\| =9.4.56-1 \|\| =9.4.57-0+deb12u1 \|\| =9.4.57-1 \|\| =9.4.57-1.1 \|\| =9.4.57-1.1~deb12u1 \|\| =9.4.57-1.1~deb13u1 \|\| =9.4.58-1	-
debian 14	jetty9	=9.4.57-1 \|\| =9.4.57-1.1 \|\| =9.4.57-1.1~deb12u1 \|\| =9.4.57-1.1~deb13u1 \|\| =9.4.58-1	-
debian 13	jetty12	=12.0.17-3 \|\| =12.0.17-3.1 \|\| =12.0.17-3.1~deb13u1 \|\| =12.0.32-1 \|\| =12.0.32-2 \|\| =12.0.33-1	-
maven	org.eclipse.jetty.ee11:jetty-ee11-jaspi	>=12.1.0 <12.1.8 \|\| >=12.0.0 <12.0.34	12.1.8, 12.0.34
maven	org.eclipse.jetty.ee10:jetty-ee10-jaspi	>=12.1.0 <12.1.8 \|\| >=12.0.0 <12.0.34	12.1.8, 12.0.34
maven	org.eclipse.jetty.ee9:jetty-ee9-jaspi	>=12.1.0 <12.1.8 \|\| >=12.0.0 <12.0.34	12.1.8, 12.0.34
maven	org.eclipse.jetty.ee8:jetty-ee8-jaspi	>=12.1.0 <12.1.8 \|\| >=12.0.0 <12.0.34	12.1.8, 12.0.34

1-10 of 12

Aliases

1. CVE-2026-57952. NVD-2026-57953. OSV-DEBIAN-2026-57954. OSV-2026-57955. GHSA-r7p8-xq5m-436c6. GHSA-gc59-r5jq-98qw7. GCVE-2026-57958. SECURITY-TRACKER-CVE-2026-5795

References

1. https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436c2. https://github.com/user-attachments/files/26118760/JaspiAuthenticator_Security_Report.pdf3. https://gitlab.eclipse.org/security/cve-assignment/-/issues/924. https://github.com/jetty/jetty.project

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.