Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Remote unauthenticated encoded request bypasses constraints (AV:N/PR:N); high confidentiality/integrity to protected resources, no availability impact; config dependency treated as scope of exposure, not attack complexity, so AC:L.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve allowed security constraint bypass for some configurations.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.0.M1 through 9.0.119, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120, which fix the issue.
Articles & Coverage 2
AnalysisAI
Security constraint bypass in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.119, 10.1.0-M1-10.1.56, 11.0.0-M1-11.0.23) lets remote attackers reach protected resources by abusing improperly handled hex URL encoding in the RewriteValve, defeating URL-pattern security constraints. Because the flaw resides in the rewrite valve, only deployments that use the RewriteValve together with security constraints are exposed, but where present an unauthenticated attacker (per CVSS PR:N) can access or manipulate resources meant to be restricted. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target Tomcat instance to have the RewriteValve configured AND to rely on Tomcat security constraints (web.xml <security-constraint> URL patterns) to protect resources - this is the 'for some configurations' precondition stated in the advisory, not a default out-of-the-box posture. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed and require judgment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker profiles an internet-facing Tomcat application that uses the RewriteValve and protects an administrative or internal path with a URL-pattern security constraint. They send a normal HTTP request whose path uses hex-encoded characters (e.g. … |
| Remediation | Vendor-released patch: upgrade to Apache Tomcat 11.0.24, 10.1.57, or 9.0.120, which fix the issue on the respective 11.0.x, 10.1.x, and 9.0.x branches. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Apache Tomcat deployments running versions 8.5.0-8.5.100, 9.0.0.M1-9.0.119, 10.1.0-M1-10.1.56, or 11.0.0-M1-11.0.23 with RewriteValve enabled; escalate to Apache Tomcat for patch release timeline; enable enhanced HTTP access logging to detect potential exploitation attempts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and
Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all
Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b
Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43638
GHSA-hcjr-322h-429r