Improper Handling of Alternate Encoding in Jetty - CVE-2026-10050
Published: July 13, 2026
Jetty
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper handling of alternate encoding in DigestAuthentication.apply() when computing Digest authentication response hashes using ISO-8859-1 encoding. A remote attacker can use a password variant in which non-Latin-1 characters are replaced with '?' characters to bypass authentication.
Successful exploitation requires knowledge of the target username and a password containing characters outside the U+00FF range.