Skip to main content

Apache Tomcat CVE-2026-41284

| EUVDEUVD-2026-29513 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-12 apache GHSA-gx5v-xp9w-j4cg
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 09:06 vuln.today
CVSS changed
May 13, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
May 12, 2026 - 15:14 nvd
HIGH 7.5
CVE Published
May 12, 2026 - 15:14 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (2 direct, 0 indirect)
  • 2 maven packages depend on org.apache.tomcat:tomcat-catalina (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 10.1.0-M1 and other introduced versions.

DescriptionCVE.org

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected.

Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

AnalysisAI

Denial of service in Apache Tomcat 9.x, 10.1.x, and 11.0.x allows remote unauthenticated attackers to exhaust server resources due to missing limits or throttling on a resource allocation path (CWE-770). Affected versions span 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, and 9.0.0.M1 through 9.0.117, with older unsupported branches also implicated per the EUVD entry. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Tomcat connector
Delivery
Send crafted HTTP requests
Exploit
Trigger unbounded resource allocation
Execution
Exhaust threads or memory
Impact
Deny service to legitimate users

Vulnerability AssessmentAI

Exploitation A reachable Apache Tomcat HTTP/AJP connector on an affected version (11.0.0-M1-11.0.21, 10.1.0-M1-10.1.54, 9.0.0.M1-9.0.117, or older 8.5.x/7.0.x branches) is required; no authentication, no user interaction, and no non-default deployment option is needed per CVSS AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward moderate-but-not-urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote unauthenticated attacker sends a stream of crafted HTTP requests to an internet-exposed Tomcat connector that causes the server to allocate unbounded resources (memory, threads, or buffers) per request, exhausting the JVM or connector pool and rendering hosted applications unavailable to legitimate users. Given AC:L and PR:N, the request flow is straightforward and SSVC marks the issue as automatable, so a single script could enumerate and degrade many instances, though no public exploit is identified at time of analysis.
Remediation Patch available per vendor advisory - upgrade to the fixed Apache Tomcat release noted in the Apache dev list announcement at https://lists.apache.org/thread/2nvqjr7ovjmvx2vbhb7s61ycd5msc8qc (the description supplied to this analysis contains the literal placeholder [FIXED_VERSION], so confirm the precise patched build for your branch directly from the Apache advisory and from the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-41284 before rollout); SUSE and HeroDevs (https://www.herodevs.com/vulnerability-directory/cve-2026-41284) also publish branch-specific guidance for distribution and legacy users. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and inventory all Tomcat instances running versions 9.0.0-9.0.117, 10.1.0-10.1.54, or 11.0.0-M1-11.0.21; implement emergency monitoring for abnormal resource consumption and connection spike patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Tomcat

View all
CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2026-33439 CRITICAL POC
9.3 Apr 07

Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbi

CVE-2016-20026 CRITICAL POC
9.3 Mar 15

Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unau

CVE-2026-29146 HIGH POC
7.5 Apr 09

Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7

CVE-2026-34486 HIGH POC
7.5 Apr 09

Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent t

CVE-2025-55752 HIGH POC
7.5 Oct 27

Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints

CVE-2025-41242 MEDIUM POC
5.9 Aug 18

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant

CVE-2025-11165 CRITICAL
9.9 Feb 24

Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.

CVE-2025-31651 CRITICAL
9.8 Apr 28

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (C

CVE-2026-45083 CRITICAL
9.8 May 13

Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote at

CVE-2026-43512 CRITICAL
9.8 May 12

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Ap

CVE-2026-41293 CRITICAL
9.8 May 12

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed

Share

CVE-2026-41284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy