Information disclosure in Jetty - CVE-2026-10051

 

Information disclosure in Jetty - CVE-2026-10051

Published: July 13, 2026


Vulnerability identifier: #VU137398
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-10051
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Eclipse
Affected software:
Jetty

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper state management in HttpConnection._trailers when processing consecutive HTTP/1.1 keep-alive requests with trailers. A remote attacker can send a request with crafted trailers followed by another request on the same connection to disclose sensitive information.

The issue is limited to reuse of stale trailer data across requests on the same keep-alive connection and is not cross-connection.


How to mitigate CVE-2026-10051

Install security update from vendor's website.

Sources