CVE-2026-5795

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

### Description (as reported) A security vulnerability has been identified in Jetty's `JaspiAuthenticator.java`. The root cause is a failure to consistently clear authentication metadata stored in `ThreadLocal` during certain error or incomplete authentication flows. Specifically, after a `GroupPrincipalCallback` is persisted into the `ThreadLocal`, the authentication process may exit prematurely — before the `ThreadLocal` storage is cleared — if a mandatory `CallerPrincipalCallback` is missing or an exception occurs. This allows a subsequent, unprivileged user processed by the same worker thread to inherit these residual security roles, leading to Broken Access Control and Privilege Escalation. See also attached PDF. ### Impact An unauthenticated user may gain ungrated privileges from a previous request (privilege escalation). ### Patches No patches yet. ### Workarounds Do not use Jetty's JASPI.

### Description (as reported) A security vulnerability has been identified in Jetty's `JaspiAuthenticator.java`. The root cause is a failure to consistently clear authentication metadata stored in `ThreadLocal` during certain error or incomplete authentication flows. Specifically, after a `GroupPrincipalCallback` is persisted into the `ThreadLocal`, the authentication process may exit prematurely — before the `ThreadLocal` storage is cleared — if a mandatory `CallerPrincipalCallback` is missing or an exception occurs. This allows a subsequent, unprivileged user processed by the same worker thread to inherit these residual security roles, leading to Broken Access Control and Privilege Escalation. See also attached PDF. ### Impact An unauthenticated user may gain ungrated privileges from a previous request (privilege escalation). ### Patches No patches yet. ### Workarounds Do not use Jetty's JASPI.