Information disclosure in Jetty - CVE-2026-10051
Published: July 13, 2026
Jetty
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper state management in HttpConnection._trailers when processing consecutive HTTP/1.1 keep-alive requests with trailers. A remote attacker can send a request with crafted trailers followed by another request on the same connection to disclose sensitive information.
The issue is limited to reuse of stale trailer data across requests on the same keep-alive connection and is not cross-connection.