Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-6790

Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-20 Validación incorrecta de entrada
Fecha de publicación:
14/07/2026
Última modificación:
14/07/2026

Descripción

*** Pendiente de traducción *** In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present).<br /> <br /> <br /> <br /> <br /> This was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112).<br /> <br /> <br /> <br /> <br /> This mismatch can cause a number of problems that may be classified as vulnerabilities such as:<br /> <br /> <br /> <br /> * <br /> <br /> URI constructions (for example, for redirects -- this is typical for login pages)<br /> <br /> * <br /> <br /> Virtual host selection<br /> <br /> * <br /> <br /> Reverse proxying<br /> <br /> * <br /> <br /> Misleading logs<br /> <br /> * <br /> <br /> Etc.<br /> <br /> <br /> <br /> <br /> <br /> <br /> Given that the latest RFCs require that request authority and Host header must match, Jetty should enforce this invariant.

Referencias a soluciones, herramientas e información