CVE-2026-10050

Authorization Bypass
Affects
Eclipse Jetty
in
Jetty
No items found.
Versions
>=9.4.0 <9.4.63, >=10.0.0 <10.0.31, >=11.0.0 <11.0.31, >=12.0.0 <12.0.36, >=12.1.0 <12.1.10
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

Overview

Eclipse Jetty is an open-source Java web server and Jakarta Servlet container, widely deployed both standalone and embedded inside Java applications and frameworks. Its jetty-security module provides the authentication and authorization framework, including HTTP Digest authentication, and its jetty-client module provides an HTTP client with matching Digest authentication support.

An authorization bypass vulnerability (CVE-2026-10050), classified as CWE-303 (Incorrect Implementation of Authentication Algorithm) and CWE-173 (Improper Handling of Alternate Encoding), has been identified in Eclipse Jetty's HTTP Digest authentication, which allows an attacker who knows a victim's username to authenticate as that victim whenever the victim's password contains characters outside the Latin-1 range. Jetty computes the Digest MD5 hashes over bytes produced by lossy ISO-8859-1 encoding, so every character above U+00FF is silently collapsed to a ?, letting the attacker present a "collision password" (the victim's password with each non-Latin-1 character replaced by ?) that hashes to the same value the server expects. The same lossy encoding also breaks Digest authentication for legitimate users whose passwords contain such characters.

Per OWASP: Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.

This issue affects all versions of Eclipse Jetty on the 9.4.x, 10.0.x, and 11.0.x lines supported by NES for Jetty, as well as the OSS maintained 12.0.x and 12.1.x lines (fixed upstream in 12.0.36 and 12.1.10).

Details

Module Info

Vulnerability Info

This High-severity vulnerability is found in the jetty-security and jetty-client packages in all affected versions of Eclipse Jetty. HTTP Digest authentication (RFC 2617) authenticates a caller by comparing an MD5 digest computed over the username, realm, and password (the H(A1) value) together with request-specific values. Both Jetty's server-side DigestAuthenticator and its client-side DigestAuthentication feed these strings to the MD5 digester as bytes produced by getBytes(StandardCharsets.ISO_8859_1).

On the server, the credential check computes H(A1) like this:

md.update(username.getBytes(StandardCharsets.ISO_8859_1));
md.update(realm.getBytes(StandardCharsets.ISO_8859_1));
md.update(password.getBytes(StandardCharsets.ISO_8859_1));
ha1 = md.digest();

The client performs the same lossy encoding when it builds its response hashes:

String hashA1 = toHexString(digester.digest(a1.getBytes(StandardCharsets.ISO_8859_1)));
String hashA2 = toHexString(digester.digest(a2.getBytes(StandardCharsets.ISO_8859_1)));
final String hashA3 = toHexString(digester.digest(a3.getBytes(StandardCharsets.ISO_8859_1)));

String.getBytes(StandardCharsets.ISO_8859_1) cannot represent characters above U+00FF, so Java silently substitutes each such character with the byte 0x3F, the ASCII ?. Because this substitution is applied identically wherever the password is hashed, a password such as pαssワード and the "collision password" p?ss?? produce the same H(A1). An attacker who knows the victim's username can therefore replace every non-Latin-1 character in the (unknown) real password with ? and authenticate successfully, without knowing the true characters. The attack requires only that the victim's password contain at least one character above U+00FF; no privileges and no user interaction are needed, and the request is authorized as the impersonated user. The same collapse also means legitimate users whose passwords contain non-Latin-1 characters cannot reliably authenticate.

This vulnerability has been present since at least Eclipse Jetty 9.4 and likely earlier.

Mitigation

Jetty 9.4.x, 10.0.x, and 11.0.x are past community End-of-Life and no longer receive open-source updates to address this issue.

Users of the affected components should apply one of the following mitigations:

  • Upgrade Eclipse Jetty to a currently supported release line (12.0.x or 12.1.x) that contains the fix, first shipped in Eclipse Jetty 12.0.36 and 12.1.10.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-10050
PROJECT Affected
Eclipse Jetty
Versions Affected
>=9.4.0 <9.4.63, >=10.0.0 <10.0.31, >=11.0.0 <11.0.31, >=12.0.0 <12.0.36, >=12.1.0 <12.1.10
NES Versions Affected
Published date
July 16, 2026
≈ Fix date
July 15, 2026
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Jetty
Rss feed icon
Subscribe via RSS
or

By submitting the form I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.