Skip to main content

Eclipse Jetty EUVDEUVD-2026-43646

| CVE-2026-6790 MEDIUM
Improper Input Validation (CWE-20)
2026-07-14 eclipse
5.3
CVSS 3.1 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable without authentication and no special conditions required; impact limited to partial integrity via redirect or routing manipulation, with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 09:34 vuln.today
CVE Published
Jul 14, 2026 - 08:51 cve.org
MEDIUM 5.3

DescriptionCVE.org

In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present).

This was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112).

This mismatch can cause a number of problems that may be classified as vulnerabilities such as:

*

URI constructions (for example, for redirects -- this is typical for login pages)

*

Virtual host selection

*

Reverse proxying

*

Misleading logs

*

Etc.

Given that the latest RFCs require that request authority and Host header must match, Jetty should enforce this invariant.

AnalysisAI

Eclipse Jetty fails to enforce RFC 9110/9112's requirement that the HTTP request authority (host and port) match the value in the Host header across all supported protocol versions - HTTP/1, HTTP/2, and HTTP/3. Unauthenticated network attackers can exploit this input validation gap to manipulate Host-header-derived URI constructions (particularly redirect targets on login pages), influence virtual host selection, corrupt reverse proxy routing decisions, and produce misleading access logs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft HTTP request with mismatched request-line authority and Host header
Delivery
Send unauthenticated request to publicly reachable Jetty endpoint
Exploit
Jetty skips RFC 9110 authority-Host consistency check
Execution
Application consumes attacker-supplied Host value for redirect or routing decision
Impact
Victim's browser follows manipulated Host-derived redirect to attacker-controlled destination

Vulnerability AssessmentAI

Exploitation No authentication is required (PR:N per CVSS vector) and no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately reflects the low attack complexity and unauthenticated network reachability, while correctly limiting impact to partial integrity - no confidentiality or availability consequences are expected. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends an HTTP/1.1 request to a Jetty-hosted login page with a request line specifying the legitimate server's authority but a Host header value pointing to an attacker-controlled domain. Jetty, without enforcing authority-Host consistency, processes the request and constructs a post-authentication redirect URI derived from the manipulated Host header, redirecting the authenticated user's browser to the attacker's domain - enabling credential harvesting or session token theft. …
Remediation Monitor the Eclipse Foundation's security tracker at https://gitlab.eclipse.org/security/cve-assignment/-/work_items/99 and upgrade to the patched Jetty release once announced; no specific fix version has been confirmed in the available data, so a release version cannot be cited here. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43646 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy