CVE-2026-6790
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Eclipse Jetty is an open-source Java web server and Jakarta Servlet container, widely deployed both standalone and embedded inside Java applications and frameworks. Its jetty-server module implements the core HTTP request handling, including how each request's target URI and authority are parsed before the request is dispatched to an application.
An HTTP request smuggling vulnerability (CVE-2026-6790), classified as CWE-20 (Improper Input Validation), has been identified in Eclipse Jetty, which does not enforce that the authority of a request (the host and port taken from an HTTP/1 absolute-form request target, or from the HTTP/2 or HTTP/3 :authority) matches the Host header. A request whose authority and Host name different hosts is accepted instead of rejected, so the two values that identify the target host can diverge and mislead redirect and URI construction, virtual-host selection, reverse-proxy routing, and request logging.
Per OWASP, this class of weakness (CWE-444, Inconsistent Interpretation of HTTP Requests, also known as HTTP Request/Response Smuggling) occurs when the product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
This issue affects all versions of Eclipse Jetty on the 9.4.x, 10.0.x, and 11.0.x lines supported by NES for Jetty, as well as the OSS maintained 12.0.x and 12.1.x lines (fixed upstream in 12.0.35 and 12.1.9).
Details
Module Info
- Product: Eclipse Jetty
- Affected packages: org.eclipse.jetty:jetty-server
- Affected versions: >=9.4.0 <9.4.61, >=10.0.0 <10.0.29, >=11.0.0 <11.0.29, >=12.0.0 <12.0.35, >=12.1.0 <12.1.9
- GitHub repository: https://github.com/jetty/jetty.project
- Published packages: https://central.sonatype.com/artifact/org.eclipse.jetty/jetty-server
- Package manager: Maven
- Fixed in: NES for Jetty already enforces this check on all three supported lines: it ships on the 9.4.x line in jetty-9.4.62, and it has shipped on the 10.0.x and 11.0.x lines since jetty-10.0.14 and jetty-11.0.14 (upstream community-supported lines fixed in Eclipse Jetty 12.0.35 and 12.1.9)
Vulnerability Info
This Medium-severity vulnerability is found in the jetty-server package in multiple versions of Eclipse Jetty. HTTP defines two places in which a request can name its target host: the Host header, and the request authority carried either in an HTTP/1 absolute-form request target (GET http://host/path HTTP/1.1) or in the HTTP/2 and HTTP/3 :authority pseudo-header. RFC 9110 and RFC 9112 require a server to treat these as equivalent and to reject a request in which they disagree.
On the affected releases, Jetty parsed the authority into the request URI and used it for URI reconstruction, virtual-host matching, reverse-proxy target selection, and access logging, but it never compared that authority against the Host header. A request whose authority and Host named different hosts was therefore accepted and processed:
GET http://internal-admin.local/ HTTP/1.1
Host: public.example.com
Here the absolute-form target names internal-admin.local while the Host header names public.example.com. A front-end proxy or access-control layer that makes its decision on the Host header sees public.example.com, while Jetty and any component that consults the request URI or authority see internal-admin.local. Because Jetty did not require the two to match, this disagreement was silently accepted, letting the effective target host diverge between the front-end and the application. The same divergence lets an attacker influence the host that Jetty uses when it builds absolute redirect and self-referential URLs, selects a virtual host, or records the request in its logs.
The remediation makes Jetty compare the request authority against the Host header and reject a mismatch with an HTTP 400 (Mismatched Authority) response by default, restoring the RFC 9110 and RFC 9112 requirement that the authority and Host agree.
The vulnerability carries a CVSS v3.1 base score of 5.3 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. No authentication, privileges, or user interaction are required to send a mismatched request, and the impact is bounded to a low integrity effect: the confusion can mislead routing, redirect construction, and logging, but it does not by itself disclose data or take the server offline.
This vulnerability has been present since at least Eclipse Jetty 9.4 and likely earlier.
Mitigation
Jetty 9.4.x, 10.0.x, and 11.0.x are past community End-of-Life and no longer receive open-source updates to address this issue.
Users of the affected components should apply one of the following mitigations:
- Upgrade Eclipse Jetty to a currently supported release line (12.0.x or 12.1.x) that contains the fix, first shipped in Eclipse Jetty 12.0.35 and 12.1.9.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- No finder is publicly credited for this vulnerability.