Improper input validation in Eclipse Jetty
CVE-2026-6790
In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present). This was not enforced in earlier HTTP RFC (for example…
Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.
Affected products
- Eclipse Jetty
- Eclipse Foundation Jetty — versions 9.4.0, 10.0.0, 11.0.0
Weakness classification (CWE)
References
- emo@eclipse.org (Vendor Advisory)
Frequently asked questions
- What is CVE-2026-6790?
- CVE-2026-6790 is a medium-severity vulnerability in Eclipse Jetty, classified under Improper Input Validation. CVSS score: 5.3/10. Published 2026-07-14.
- How severe is CVE-2026-6790?
- Medium severity. CVSS v3 base score is 5.3 out of 10.