{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-2332","assignerOrgId":"e51fbebd-6053-4e49-959f-1b94eeb69a2c","state":"PUBLISHED","assignerShortName":"eclipse","dateReserved":"2026-02-11T09:56:25.879Z","datePublished":"2026-04-14T10:59:10.193Z","dateUpdated":"2026-07-02T12:04:46.543Z"},"containers":{"cna":{"providerMetadata":{"orgId":"e51fbebd-6053-4e49-959f-1b94eeb69a2c","shortName":"eclipse","dateUpdated":"2026-04-14T10:59:10.193Z"},"title":"HTTP Request Smuggling via Chunked Extension Quoted-String Parsing","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-444","description":"CWE-444 Inconsistent interpretation of HTTP requests ('HTTP Request/Response smuggling')","type":"CWE"}]}],"affected":[{"vendor":"Eclipse Foundation","product":"Eclipse Jetty","collectionURL":"https://repo.maven.apache.org/maven2","packageName":"pkg://maven/org.eclipse.jetty/jetty-http","repo":"https://github.com/jetty/jetty.project","versions":[{"status":"affected","version":"12.1.0","lessThanOrEqual":"12.1.6","versionType":"semver"},{"status":"affected","version":"12.0.0","lessThanOrEqual":"12.0.32","versionType":"semver"},{"status":"affected","version":"11.0.0","lessThanOrEqual":"11.0.27","versionType":"semver"},{"status":"affected","version":"10.0.0","lessThanOrEqual":"10.0.27","versionType":"semver"},{"status":"affected","version":"9.4.0","lessThanOrEqual":"9.4.59","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the \"funky chunks\" techniques outlined here:\n  *  https://w4ke.info/2025/06/18/funky-chunks.html\n\n  *  https://w4ke.info/2025/10/29/funky-chunks-2.html\n\n\nJetty terminates chunk extension parsing at \\r\\n inside quoted strings instead of treating this as an error.\n\n\nPOST / HTTP/1.1\nHost: localhost\nTransfer-Encoding: chunked\n\n1;ext=\"val\nX\n0\n\nGET /smuggled HTTP/1.1\n...\n\n\n\n\n\nNote how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.","supportingMedia":[{"type":"text/html","base64":false,"value":"In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the \"funky chunks\" techniques outlined here:<br><ul><li><span>https://w4ke.info/2025/06/18/funky-chunks.html</span><br></li><li><span>https://w4ke.info/2025/10/29/funky-chunks-2.html</span></li></ul>Jetty terminates chunk extension parsing at&nbsp;<code>\\r\\n</code>&nbsp;inside quoted strings instead of treating this as an error.<br><br>\n<pre>POST / HTTP/1.1\nHost: localhost\nTransfer-Encoding: chunked\n\n1;ext=\"val\nX\n0\n\nGET /smuggled HTTP/1.1\n...\n</pre>\n\n<div><br>Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.<br></div>"}]}],"references":[{"url":"https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf","tags":["third-party-advisory"]},{"url":"https://gitlab.eclipse.org/security/cve-assignment/-/issues/89","tags":["issue-tracking"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseSeverity":"HIGH","baseScore":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}}],"credits":[{"lang":"en","value":"https://github.com/xclow3n","type":"reporter"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.1"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-14T00:00:00+00:00","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-2332"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-15T03:58:12.322Z"}},{"affected":[{"cpes":["cpe:/a:redhat:enterprise_linux:9::crb"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apache_camel_hawtio:4.4::el9"],"defaultStatus":"affected","product":"HawtIO HawtIO 4.4.0","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_broker:7.13"],"defaultStatus":"affected","product":"Red Hat AMQ Broker 7.13.5","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apache_camel_quarkus:3.33"],"defaultStatus":"affected","product":"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:offline_knowledge_portal:1.2::el9"],"defaultStatus":"affected","product":"Red Hat Offline Knowledge Portal 1.2.7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3.27::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Dev Spaces 3.27","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apache_camel_spring_boot:4.18"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_broker:7"],"defaultStatus":"affected","product":"Red Hat AMQ Broker 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:camel_quarkus:3"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel 4 for Quarkus 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:debezium:2"],"defaultStatus":"affected","product":"Red Hat build of Debezium 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:debezium:3"],"defaultStatus":"affected","product":"Red Hat build of Debezium 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_web_server:6"],"defaultStatus":"affected","product":"Red Hat JBoss Web Server 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"affected","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:red_hat_single_sign_on:7"],"defaultStatus":"affected","product":"Red Hat Single Sign-On 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:2"],"defaultStatus":"affected","product":"streams for Apache Kafka 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:3"],"defaultStatus":"affected","product":"streams for Apache Kafka 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_registry:2"],"defaultStatus":"unaffected","product":"Red Hat build of Apicurio Registry 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apicurio_registry:3"],"defaultStatus":"unaffected","product":"Red Hat build of Apicurio Registry 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_data_grid:8"],"defaultStatus":"unaffected","product":"Red Hat Data Grid 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:7"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"],"defaultStatus":"unaffected","product":"Red Hat Process Automation 7","vendor":"Red Hat"}],"datePublic":"2026-04-14T10:59:10.193Z","descriptions":[{"lang":"en","value":"A flaw was found in Eclipse Jetty. The HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used. An attacker can inject crafted requests to manipulate and trick the parser. This issue can lead to security controls bypass, cache poisoning or unauthorized endpoint access."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-444","description":"Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-2332"},{"name":"RHBZ#2458187","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2458187"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2332.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20568"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25089"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:14272"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:22453"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:21773"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:17668"}],"solutions":[{"lang":"en","value":"RHSA-2026:20568: Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"},{"lang":"en","value":"RHSA-2026:25089: HawtIO HawtIO 4.4.0"},{"lang":"en","value":"RHSA-2026:14272: Red Hat AMQ Broker 7.13.5"},{"lang":"en","value":"RHSA-2026:22453: Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"},{"lang":"en","value":"RHSA-2026:21773: Red Hat Offline Knowledge Portal 1.2.7"},{"lang":"en","value":"RHSA-2026:10175: Red Hat OpenShift Dev Spaces 3.27"},{"lang":"en","value":"RHSA-2026:17668: Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14"}],"timeline":[{"lang":"en","time":"2026-04-14T12:01:05.768Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-14T10:59:10.193Z","value":"Made public."}],"title":"org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing","workarounds":[{"lang":"en","value":"Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-02T12:04:46.543Z"}}]}}