PatchSiren cyber security CVE debrief
CVE-2026-8384 Eclipse Foundation CVE debrief
CVE-2026-8384 is a medium-severity vulnerability in Eclipse Jetty, an open-source web server and servlet container. An HTTP URI of a specific form results in an unresolved path, potentially confusing web applications that rely on resolved paths. Jetty itself is not affected due to its alias checker, but web applications relying on resolved paths may be impacted. Users of Eclipse Jetty and web applications relying on resolved paths should be aware of this vulnerability and review their configurations.
- Vendor
- Eclipse Foundation
- Product
- Eclipse Jetty
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Users of Eclipse Jetty, web applications relying on resolved paths, and security teams responsible for vulnerability management should be aware of this vulnerability. They should review their configurations, assess potential impacts, and implement necessary mitigations or compensating controls. Additionally, operators and platform administrators may need to verify inventory of Jetty instances and their configurations.
Technical summary
In Eclipse Jetty, an HTTP URI of the form /public;/../admin/secret.txt results in an unresolved path of /public/../admin/secret.txt instead of the expected /admin/secret.txt. Although Jetty's alias checker prevents serving the secret.txt file, web applications relying on resolved paths may be confused. This confusion could lead to unintended behavior or exposure in certain scenarios. Affected web applications may need to review and update their path resolution mechanisms.
Defensive priority
Medium priority due to potential confusion in web applications relying on resolved paths. Defenders should focus on reviewing configurations, monitoring for unusual behavior, and implementing compensating controls.
Recommended defensive actions
- Review and update web applications relying on resolved paths in Jetty
- Implement compensating controls to monitor and track path resolution
- Verify inventory of Jetty instances and their configurations
- Review relevant monitoring, detection, and logs for exposed assets
- Track exceptions and retest remediated assets
- Plan vendor-supported updates or mitigations through normal change control
- Confirm whether affected product deployments exist in managed environments
Evidence notes
Evidence is limited. Official CVE and NVD records provide basic information. Further investigation is needed to fully understand the impact on web applications. Defenders should verify inventory of Jetty instances, review configurations, and monitor for unusual path resolution behavior. Additional research may be required to assess the vulnerability's impact on specific web applications.
Official resources
-
CVE-2026-8384 CVE record
CVE.org
-
CVE-2026-8384 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:42.050Z and has not been modified since then.