CVE-2026-8384
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/07/2026
Last modified:
14/07/2026
Description
In Eclipse Jetty, an HTTP URI of this form:<br />
<br />
<br />
<br />
<br />
<br />
/public;/../admin/secret.txt<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
results in an unresolved path of:<br />
<br />
<br />
<br />
<br />
<br />
/public/../admin/secret.txt<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
instead of the expected:<br />
<br />
<br />
<br />
<br />
<br />
/admin/secret.txt<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).<br />
<br />
<br />
<br />
<br />
However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM



