Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-exploitable with no authentication since the constraint itself is bypassed; integrity is High because unrestricted PUT/DELETE on default servlet enables file modification or upload.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
AnalysisAI
Improper Authorization (CWE-285) in Apache Tomcat's default servlet allows HTTP method-based and method-omission security constraints to be silently bypassed across all major supported Tomcat branches from 7.0.x through 11.0.x. An attacker can perform HTTP operations - such as PUT or DELETE - that the web.xml security constraint configuration was intended to restrict, potentially enabling unauthorized file upload, modification, or deletion on the default servlet's served content. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Tomcat deployment has security constraints defined in web.xml (or equivalent descriptor) that target the default servlet URL pattern and include either <http-method> elements (to restrict specific verbs) or <http-method-omission> elements (to restrict all verbs except listed ones). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score has been assigned at time of analysis, requiring risk to be inferred from the mechanism and deployment context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targets a Tomcat server where web.xml configures a security constraint requiring authentication for PUT requests to the default servlet's URL pattern, intending to prevent unauthenticated file uploads. Because Tomcat ignores the method-level constraint, the attacker sends an unauthenticated HTTP PUT request to upload a JSP webshell to a web-accessible directory, bypassing the intended restriction and achieving remote code execution. … |
| Remediation | Upgrade to Apache Tomcat 11.0.23, 10.1.56, or 9.0.119, which contain the fix per the vendor advisory at https://lists.apache.org/thread/dcjdcnnnww9hhdm016hr0l7hpw1bzjfp. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely
Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbi
Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unau
Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent t
Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant
Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (C
Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote at
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Ap
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40232
GHSA-5v3h-fjv2-54fg