Eclipse Jetty JASPIAuthenticator ThreadLocal Variable Inheritance Vulnerability Leading to Privilege Escalation

Vulnerability

A vulnerability in Eclipse Jetty's JASPIAuthenticator class allows for broken access control and privilege escalation. The issue arises because the authentication process sets two ThreadLocal variables, which are not cleared before the method returns. As a result, these ThreadLocal values can be inherited by subsequent requests using the same thread, leading to unauthorized access or privileges.

Impact

Exploitation of this vulnerability could result in unauthorized access or privileges being granted to a user.

Added: Apr 8, 2026, 2:44 PM

Updated: Apr 8, 2026, 2:44 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.3

exploitability

7.2

remediation

0.0

relevance

5.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

1.3

exploitability

7.2

remediation

0.0

relevance

5.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Eclipse Jetty JASPIAuthenticator ThreadLocal Variable Inheritance Vulnerability Leading to Privilege Escalation

Vulnerability

Impact

Affected Products

Eclipse Jetty

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating