Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affects only the accuracy of locally logged configuration available to a privileged operator (PR:H, AV:L); at most minor confidentiality of audit data (C:L), with no integrity or availability impact.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.
Articles & Coverage 1
AnalysisAI
Incomplete security-constraint logging in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, 11.0.0-M1-11.0.22) omits special roles and empty authorization constraints when the effective web.xml is written to the log, giving administrators an inaccurate view of the deployed access-control configuration. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and CISA SSVC marks exploitation status as none, despite the inflated 9.1 CVSS published by Apache. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that an administrator has enabled logging of the effective web.xml on an affected Tomcat instance and is relying on that logged output to audit security constraints; the omission only manifests for security-constraint elements that use special roles (wildcard role names) or an empty <auth-constraint/> (deny-all). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published signals conflict sharply and should be reconciled before prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An operator enables effective web.xml logging on an unpatched Tomcat to audit a web application's access controls; the log omits an empty <auth-constraint/> deny-all rule and wildcard-role constraints, leading the operator to wrongly conclude an endpoint is unprotected or protected differently than it actually is, and to make a flawed configuration decision based on that incomplete record. No public exploit code exists, and the issue is not attacker-triggered over the network despite the published AV:N rating. |
| Remediation | Vendor-released patch: upgrade to Apache Tomcat 11.0.23, 10.1.56, or 9.0.119, which fix the effective web.xml logging behavior, as documented in the Apache advisory (https://lists.apache.org/thread/jy09xjlzn6r2qwvqoph8vcmf959yq68v). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Tomcat instances running versions 8.5.0-8.5.100, 9.0.0-9.0.118, 10.1.0-10.1.55, or 11.0.0-11.0.22. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely
Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbi
Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unau
Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent t
Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant
Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (C
Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote at
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Ap
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40230
GHSA-mqg3-r7h5-24x4