Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Remote and unauthenticated (AV:N/PR:N), but requires a non-default OR-chained rewrite configuration so AC:H; impact is access-control bypass / information disclosure with no real availability effect, hence C:L/I:L/A:N.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
AnalysisAI
Access-control bypass in Apache Tomcat's RewriteValve (versions 8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, and 11.0.0-M1-11.0.22) arises because once the first condition in an OR ([OR]) chain matched, subsequent non-OR conditions were never evaluated. Where operators rely on chained rewrite conditions to gate or restrict requests, an attacker can satisfy only the first condition and have later guard conditions silently skipped, leading to information disclosure or unintended request routing. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target Tomcat instance to use the RewriteValve (rewrite.config) with at least one condition chain that combines `[OR]`-flagged conditions followed by additional non-OR (AND) conditions used to enforce access, routing, or filtering decisions - that specific configuration IS the precondition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD/Apache CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L = 7.3 High) reflects a network-reachable, unauthenticated condition with low impact across confidentiality, integrity and availability - consistent with an access-control/information-disclosure logic bug rather than code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An operator uses a RewriteValve rule that permits a request only when it matches an allowed host `[OR]` an allowed source, AND a following condition restricts it to a safe path; because the path condition is skipped once the first OR matches, an attacker sends a request that satisfies only the host condition and reaches a path that should have been blocked, disclosing protected content. No authentication or user interaction is required, but success depends on the target actually using such an OR-chained rewrite configuration. … |
| Remediation | Vendor-released patch: upgrade to Apache Tomcat 11.0.23, 10.1.56, or 9.0.119 (matching your branch), as directed in the Apache advisory at https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw538smpmz. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Tomcat instances and their versions across production and development environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely
Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbi
Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unau
Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent t
Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant
Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (C
Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote at
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Ap
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40227
GHSA-h792-v28v-ppgr