Skip to main content

Eclipse Jetty EUVDEUVD-2026-43647

| CVE-2026-8384 MEDIUM
Use of Non-Canonical URL Paths for Authorization Decisions (CWE-647)
2026-07-14 eclipse
5.3
CVSS 3.1 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable with no authentication; integrity impact limited to application path confusion, no confidentiality or availability impact since Jetty's alias checker blocks direct file serving.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 14, 2026 - 09:34 vuln.today

DescriptionCVE.org

In Eclipse Jetty, an HTTP URI of this form:

/public;/../admin/secret.txt

results in an unresolved path of:

/public/../admin/secret.txt

instead of the expected:

/admin/secret.txt

Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).

However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.

AnalysisAI

Eclipse Jetty mishandles HTTP URI path parameters containing semicolons combined with traversal sequences, delivering an unresolved path (e.g., /public/../admin/secret.txt) to downstream web applications instead of the canonicalized form (e.g., /admin/secret.txt). Web applications that delegate path-based authorization decisions to Jetty-provided paths are susceptible to confusion attacks where an attacker crafts a URI like /public;/../admin/secret.txt to receive a path that bypasses application-layer access controls. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted URI with semicolon path parameter
Delivery
Jetty parses without resolving traversal
Exploit
Unresolved path delivered to web application
Execution
Application evaluates non-canonical path for authorization
Persist
Access control check matches wrong path segment
Impact
Unauthorized access to restricted resource

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent conditions: first, the target web application must be hosted on Eclipse Jetty (any version per current CPE data); second, and critically, the application's own authorization or routing logic must use the path string supplied by Jetty (e.g., via `HttpServletRequest.getPathInfo()` or `getServletPath()`) without independently normalizing or canonicalizing it prior to making access control decisions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N reflects a network-reachable, low-complexity, unauthenticated attack with limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends an HTTP GET request to a Jetty-hosted application with a crafted URI such as `GET /public;/../admin/secret.txt HTTP/1.1`. Jetty's alias checker prevents it from serving the file directly, but the application's authorization middleware receives the unresolved path `/public/../admin/secret.txt`, evaluates it against the `/public/` access rule (matching the leading segment), and incorrectly grants access - responding with the contents of `admin/secret.txt`. …
Remediation No vendor-released patch version is independently confirmed from the available data; the only reference is the Eclipse GitLab work item at https://gitlab.eclipse.org/security/cve-assignment/-/work_items/108, which should be monitored for patch release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy