Use of Non-Canonical URL Paths for Authorization Decisions in Jetty - CVE-2026-8384
Published: July 13, 2026
Jetty
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass path-based security constraints.
The vulnerability exists due to use of non-canonical url paths for authorization decisions in org.eclipse.jetty.util.URIUtil.canonicalPath() when processing request paths containing semicolon path parameters followed by slash-dot segments. A remote attacker can send a specially crafted request path to bypass path-based security constraints.
This can occur when Jetty SecurityHandler.PathMapped is used to protect a path prefix such as /admin/*, causing the non-normalized canonical path to be matched against security constraints.