SB2026071349 - Multiple vulnerabilities in Jetty
Published: July 13, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2026-6790)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass host-based access controls and interfere with hostname-based security decisions.
The vulnerability exists due to improper input validation in HTTP/2 and HTTP/3 server-side request handling when processing requests with mismatched :authority and Host values. A remote attacker can send a specially crafted request containing conflicting host identities to bypass host-based access controls and interfere with hostname-based security decisions.
Different layers may interpret different host values from the same request, which can affect virtual host isolation, multi-tenant routing, redirect or callback URL construction, proxy trust chains, and logging.
2) Use of Non-Canonical URL Paths for Authorization Decisions (CVE-ID: CVE-2026-8384)
CWE-ID: CWE-647 - Use of Non-Canonical URL Paths for Authorization Decisions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass path-based security constraints.
The vulnerability exists due to use of non-canonical url paths for authorization decisions in org.eclipse.jetty.util.URIUtil.canonicalPath() when processing request paths containing semicolon path parameters followed by slash-dot segments. A remote attacker can send a specially crafted request path to bypass path-based security constraints.
This can occur when Jetty SecurityHandler.PathMapped is used to protect a path prefix such as /admin/*, causing the non-normalized canonical path to be matched against security constraints.
Remediation
Install update from vendor's website.