CVE-2026-2332

critical

Published 2026-05-26 · Modified 2026-05-20

CVSS v3

9.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2

—

VIR risk

9.1

Description

Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Exploit likelihood

94%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-2332.html

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-2332

vendor Authored 2026-05-27

Vendor advisory: emo@eclipse.org — https://gitlab.eclipse.org/security/cve-assignment/-/issues/89

vendor Authored 2026-05-27

Vendor advisory: emo@eclipse.org — https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf

vendor Authored 2026-05-27

Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2026:20568

OS	Version	Status	Fixed in
rhel	9	fixed
debian	forky	fixed	`12.0.33-1`
debian	sid	fixed	`12.0.33-1`
debian	trixie	affected
debian	bookworm	affected
debian	bullseye	affected
sles		affected

Ecosystem	Package	Vulnerable	Fixed
Maven	org.eclipse.jetty:jetty-http	`>=12.1.0,<12.1.7`	`12.1.7`
Maven	org.eclipse.jetty:jetty-http	`>=12.0.0,<12.0.33`	`12.0.33`
Maven	org.eclipse.jetty:jetty-http	`>=11.0.0,<=11.0.27`
Maven	org.eclipse.jetty:jetty-http	`>=10.0.0,<=10.0.27`
Maven	org.eclipse.jetty:jetty-http	`>=9.4.0,<=9.4.59`
MAVEN	org.eclipse.jetty:jetty-http	`>= 9.4.0, <= 9.4.59`
MAVEN	org.eclipse.jetty:jetty-http	`>= 10.0.0, <= 10.0.27`
MAVEN	org.eclipse.jetty:jetty-http	`>= 11.0.0, <= 11.0.27`
MAVEN	org.eclipse.jetty:jetty-http	`>= 12.0.0, <= 12.0.32`	`12.0.33`
MAVEN	org.eclipse.jetty:jetty-http	`>= 12.1.0, <= 12.1.6`	`12.1.7`

Vendor	Product	Versions	Fixed
eclipse	jetty	`{"startIncluding":"9.4.0","endExcluding":"9.4.60"}`	`9.4.60`

CWE-444

Verify integrity in audit chain (admin only). AS-IS.