CVE-2026-6790
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-20
Validación incorrecta de entrada
Fecha de publicación:
14/07/2026
Última modificación:
14/07/2026
Descripción
*** Pendiente de traducción *** In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present).<br />
<br />
<br />
<br />
<br />
This was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112).<br />
<br />
<br />
<br />
<br />
This mismatch can cause a number of problems that may be classified as vulnerabilities such as:<br />
<br />
<br />
<br />
* <br />
<br />
URI constructions (for example, for redirects -- this is typical for login pages)<br />
<br />
* <br />
<br />
Virtual host selection<br />
<br />
* <br />
<br />
Reverse proxying<br />
<br />
* <br />
<br />
Misleading logs<br />
<br />
* <br />
<br />
Etc.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Given that the latest RFCs require that request authority and Host header must match, Jetty should enforce this invariant.
Impacto
Puntuación base 3.x
5.30
Gravedad 3.x
MEDIA



