Description
In Eclipse Jetty, an HTTP URI of this form:





/public;/../admin/secret.txt








results in an unresolved path of:





/public/../admin/secret.txt








instead of the expected:





/admin/secret.txt








Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).




However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.
Published: 2026-07-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Jul 2026 08:00:00 +0000

Type Values Removed Values Added
Title Unresolved Path Normalization Issue in Eclipse Jetty

Tue, 14 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 14 Jul 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse jetty
Vendors & Products Eclipse
Eclipse jetty

Tue, 14 Jul 2026 09:15:00 +0000

Type Values Removed Values Added
Description In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served). However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.
Weaknesses CWE-647
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-07-14T12:18:29.831Z

Reserved: 2026-05-12T10:01:35.472Z

Link: CVE-2026-8384

cve-icon Vulnrichment

Updated: 2026-07-14T12:18:16.867Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-16T07:45:05Z

Weaknesses