CVE-2026-8384

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/07/2026
Last modified:
14/07/2026

Description

In Eclipse Jetty, an HTTP URI of this form:<br /> <br /> <br /> <br /> <br /> <br /> /public;/../admin/secret.txt<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> results in an unresolved path of:<br /> <br /> <br /> <br /> <br /> <br /> /public/../admin/secret.txt<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> instead of the expected:<br /> <br /> <br /> <br /> <br /> <br /> /admin/secret.txt<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).<br /> <br /> <br /> <br /> <br /> However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.

References to Advisories, Solutions, and Tools