CVE-2026-10050
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Eclipse Jetty is an open-source Java web server and Jakarta Servlet container, widely deployed both standalone and embedded inside Java applications and frameworks. Its jetty-security module provides the authentication and authorization framework, including HTTP Digest authentication, and its jetty-client module provides an HTTP client with matching Digest authentication support.
An authorization bypass vulnerability (CVE-2026-10050), classified as CWE-303 (Incorrect Implementation of Authentication Algorithm) and CWE-173 (Improper Handling of Alternate Encoding), has been identified in Eclipse Jetty's HTTP Digest authentication, which allows an attacker who knows a victim's username to authenticate as that victim whenever the victim's password contains characters outside the Latin-1 range. Jetty computes the Digest MD5 hashes over bytes produced by lossy ISO-8859-1 encoding, so every character above U+00FF is silently collapsed to a ?, letting the attacker present a "collision password" (the victim's password with each non-Latin-1 character replaced by ?) that hashes to the same value the server expects. The same lossy encoding also breaks Digest authentication for legitimate users whose passwords contain such characters.
Per OWASP: Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.
This issue affects all versions of Eclipse Jetty on the 9.4.x, 10.0.x, and 11.0.x lines supported by NES for Jetty, as well as the OSS maintained 12.0.x and 12.1.x lines (fixed upstream in 12.0.36 and 12.1.10).
Details
Module Info
- Product: Eclipse Jetty
- Affected packages: org.eclipse.jetty:jetty-security (server), org.eclipse.jetty:jetty-client (client)
- Affected versions: >=9.4.0 <9.4.63, >=10.0.0 <10.0.31, >=11.0.0 <11.0.31, >=12.0.0 <12.0.36, >=12.1.0 <12.1.10
- GitHub repository: https://github.com/jetty/jetty.project
- Published packages: https://central.sonatype.com/artifact/org.eclipse.jetty/jetty-security
- Package manager: Maven
- Fixed in: NES for Jetty backport in progress for the 9.4.x, 10.0.x, and 11.0.x lines (upstream community-supported lines fixed in Eclipse Jetty 12.0.36 and 12.1.10)
Vulnerability Info
This High-severity vulnerability is found in the jetty-security and jetty-client packages in all affected versions of Eclipse Jetty. HTTP Digest authentication (RFC 2617) authenticates a caller by comparing an MD5 digest computed over the username, realm, and password (the H(A1) value) together with request-specific values. Both Jetty's server-side DigestAuthenticator and its client-side DigestAuthentication feed these strings to the MD5 digester as bytes produced by getBytes(StandardCharsets.ISO_8859_1).
On the server, the credential check computes H(A1) like this:
md.update(username.getBytes(StandardCharsets.ISO_8859_1));
md.update(realm.getBytes(StandardCharsets.ISO_8859_1));
md.update(password.getBytes(StandardCharsets.ISO_8859_1));
ha1 = md.digest();
The client performs the same lossy encoding when it builds its response hashes:
String hashA1 = toHexString(digester.digest(a1.getBytes(StandardCharsets.ISO_8859_1)));
String hashA2 = toHexString(digester.digest(a2.getBytes(StandardCharsets.ISO_8859_1)));
final String hashA3 = toHexString(digester.digest(a3.getBytes(StandardCharsets.ISO_8859_1)));
String.getBytes(StandardCharsets.ISO_8859_1) cannot represent characters above U+00FF, so Java silently substitutes each such character with the byte 0x3F, the ASCII ?. Because this substitution is applied identically wherever the password is hashed, a password such as pαssワード and the "collision password" p?ss?? produce the same H(A1). An attacker who knows the victim's username can therefore replace every non-Latin-1 character in the (unknown) real password with ? and authenticate successfully, without knowing the true characters. The attack requires only that the victim's password contain at least one character above U+00FF; no privileges and no user interaction are needed, and the request is authorized as the impersonated user. The same collapse also means legitimate users whose passwords contain non-Latin-1 characters cannot reliably authenticate.
This vulnerability has been present since at least Eclipse Jetty 9.4 and likely earlier.
Mitigation
Jetty 9.4.x, 10.0.x, and 11.0.x are past community End-of-Life and no longer receive open-source updates to address this issue.
Users of the affected components should apply one of the following mitigations:
- Upgrade Eclipse Jetty to a currently supported release line (12.0.x or 12.1.x) that contains the fix, first shipped in Eclipse Jetty 12.0.36 and 12.1.10.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- hrykx-zy (finder)