CVE-2026-2332¶
WSO2 Products impacted: no
Customer action required: no
REPORTED VULNERABILITY¶
Jetty HTTP server has a vulnerability in chunked transfer encoding message handling that could potentially be exploited for HTTP request smuggling 1.
REPORTED PRODUCTS¶
- WSO2 API Manager : 3.0.0, 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0
WSO2 JUSTIFICATION¶
This vulnerability has been addressed in Jetty HTTP versions 9.4.60 and above in the 9.4.x series, 10.0.28 and above in the 10.0.x series, 11.0.28 and above in the 11.0.x series, 12.0.33 and above in the 12.0.x series, and 12.1.7 and above in the 12.1.x series 2. As of April 29 2026, jetty-http is an embedded dependency in Solr with unresolved exposure. Specifically, Solr 10.x releases (including the current 10.0.0 release) include Jetty 12.0.27, which does not meet the minimum fixed version requirement of 12.0.33. No Solr release as of this date incorporates a fixed Jetty version. Additionally, migrating to future Solr 10.x versions that may include fixed Jetty would introduce significant breaking changes in the context of WSO2 API Manager. Due to these constraints, we are publishing this CVE justification with a detailed analysis of the CVE, outlining how associated risks are mitigated in WSO2 products and the actions WSO2 is taking in response.
The vulnerable jetty-http dependency is included transitively through the Apache Solr bundle, which supports content and artifact search capabilities in the product portals of the affected WSO2 product versions. The CVE-2026-2332 vulnerability is exploitable specifically when Jetty's HttpParser parses inbound HTTP/1.1 chunked transfer-encoded requests, i.e., when Jetty operates as an HTTP server 2. A thorough analysis of all Solr-related code paths in WSO2 products confirms that this execution path is never reached:
Default embedded Solr mode: In the default product configuration, Solr runs in embedded mode via the EmbeddedSolrServer API, which communicates with Solr through direct in-process Java method calls. No Jetty HTTP server is started and no HTTP connections of any kind are made. Jetty's HttpParser is never invoked.
Remote HTTP Solr mode: WSO2 API Manager does not use external Solr servers or SolrJ's HttpSolrClient; there is no use case in the product codebase that initialises Jetty-backed Solr transports.
Therefore, although the vulnerable jetty-http dependency is present in the packaged Solr component, the vulnerable HTTP/1.1 chunked request parsing code path in HttpParser is not reachable through any of the Solr usage patterns in the above-mentioned WSO2 products.
Based on this evidence, we conclude that this vulnerability does not pose a security risk to the impacted versions of WSO2 products listed above.