ALAS2-2026-3277

Amazon Linux 2 Security Advisory: ALAS2-2026-3277
Advisory Released Date: 2026-04-30
Advisory Updated Date: 2026-04-30
Severity: Important
Issue Overview:

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.


Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.


A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation. (CVE-2026-5795)


Affected Packages:

jetty


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update jetty or yum update --advisory ALAS2-2026-3277 to update your system.

New Packages:
noarch:
    jetty-project-9.0.3-8.amzn2.0.7.noarch
    jetty-annotations-9.0.3-8.amzn2.0.7.noarch
    jetty-ant-9.0.3-8.amzn2.0.7.noarch
    jetty-client-9.0.3-8.amzn2.0.7.noarch
    jetty-continuation-9.0.3-8.amzn2.0.7.noarch
    jetty-deploy-9.0.3-8.amzn2.0.7.noarch
    jetty-http-9.0.3-8.amzn2.0.7.noarch
    jetty-io-9.0.3-8.amzn2.0.7.noarch
    jetty-jaas-9.0.3-8.amzn2.0.7.noarch
    jetty-jaspi-9.0.3-8.amzn2.0.7.noarch
    jetty-jmx-9.0.3-8.amzn2.0.7.noarch
    jetty-jndi-9.0.3-8.amzn2.0.7.noarch
    jetty-jsp-9.0.3-8.amzn2.0.7.noarch
    jetty-jspc-maven-plugin-9.0.3-8.amzn2.0.7.noarch
    jetty-maven-plugin-9.0.3-8.amzn2.0.7.noarch
    jetty-monitor-9.0.3-8.amzn2.0.7.noarch
    jetty-plus-9.0.3-8.amzn2.0.7.noarch
    jetty-proxy-9.0.3-8.amzn2.0.7.noarch
    jetty-rewrite-9.0.3-8.amzn2.0.7.noarch
    jetty-runner-9.0.3-8.amzn2.0.7.noarch
    jetty-security-9.0.3-8.amzn2.0.7.noarch
    jetty-server-9.0.3-8.amzn2.0.7.noarch
    jetty-servlet-9.0.3-8.amzn2.0.7.noarch
    jetty-servlets-9.0.3-8.amzn2.0.7.noarch
    jetty-start-9.0.3-8.amzn2.0.7.noarch
    jetty-util-9.0.3-8.amzn2.0.7.noarch
    jetty-util-ajax-9.0.3-8.amzn2.0.7.noarch
    jetty-webapp-9.0.3-8.amzn2.0.7.noarch
    jetty-xml-9.0.3-8.amzn2.0.7.noarch
    jetty-websocket-api-9.0.3-8.amzn2.0.7.noarch
    jetty-websocket-client-9.0.3-8.amzn2.0.7.noarch
    jetty-websocket-common-9.0.3-8.amzn2.0.7.noarch
    jetty-websocket-parent-9.0.3-8.amzn2.0.7.noarch
    jetty-websocket-server-9.0.3-8.amzn2.0.7.noarch
    jetty-websocket-servlet-9.0.3-8.amzn2.0.7.noarch
    jetty-javadoc-9.0.3-8.amzn2.0.7.noarch

src:
    jetty-9.0.3-8.amzn2.0.7.src

Additional References

Release Notes:  Amazon Linux 2 Release Notes

Red Hat: CVE-2026-5795

Mitre: CVE-2026-5795