SB2026071349 - Multiple vulnerabilities in Jetty



SB2026071349 - Multiple vulnerabilities in Jetty

Published: July 13, 2026

Security Bulletin ID SB2026071349
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2026-6790)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass host-based access controls and interfere with hostname-based security decisions.

The vulnerability exists due to improper input validation in HTTP/2 and HTTP/3 server-side request handling when processing requests with mismatched :authority and Host values. A remote attacker can send a specially crafted request containing conflicting host identities to bypass host-based access controls and interfere with hostname-based security decisions.

Different layers may interpret different host values from the same request, which can affect virtual host isolation, multi-tenant routing, redirect or callback URL construction, proxy trust chains, and logging.


2) Use of Non-Canonical URL Paths for Authorization Decisions (CVE-ID: CVE-2026-8384)

CWE-ID: CWE-647 - Use of Non-Canonical URL Paths for Authorization Decisions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass path-based security constraints.

The vulnerability exists due to use of non-canonical url paths for authorization decisions in org.eclipse.jetty.util.URIUtil.canonicalPath() when processing request paths containing semicolon path parameters followed by slash-dot segments. A remote attacker can send a specially crafted request path to bypass path-based security constraints.

This can occur when Jetty SecurityHandler.PathMapped is used to protect a path prefix such as /admin/*, causing the non-normalized canonical path to be matched against security constraints.


Remediation

Install update from vendor's website.