Skip to main content

Tomcat CVE-2026-59084

| EUVDEUVD-2026-43640 CRITICAL
Insufficient Technical Documentation (CWE-1059)
2026-07-14 apache GHSA-cwxf-7cw2-7r32
9.1
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
9.1 LOW
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
5.9 MEDIUM

Adjacent network vector for cluster traffic; AC:H because misconfiguration from undocumented requirements must be present; no confidentiality or integrity impact on availability.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jul 14, 2026 - 15:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
Jul 14, 2026 - 15:22 NVD
LOW CRITICAL
CVSS changed
Jul 14, 2026 - 15:22 NVD
9.1 (LOW) 9.1 (CRITICAL)
Analysis Generated
Jul 14, 2026 - 09:31 vuln.today
CVE Published
Jul 14, 2026 - 08:24 cve.org
LOW

DescriptionCVE.org

Insufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.13 through 9.0.119, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120 which fix the issue.

AnalysisAI

Cluster-communication confidentiality and integrity in Apache Tomcat can be undermined because the secure-configuration requirements for the EncryptInterceptor were never clearly documented, leaving operators liable to deploy the cluster session-replication channel insecurely. The flaw affects Tomcat 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.119, 10.1.0-M1-10.1.56 and 11.0.0-M1-11.0.23, and is fixed in 9.0.120, 10.1.57 and 11.0.24. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours, determine if your infrastructure uses Apache Tomcat in cluster mode with session replication; if not deployed in this configuration, document and close. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Tomcat

View all
CVE-2017-12617 HIGH POC
8.1 Oct 04

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT

CVE-2016-8735 CRITICAL POC
9.8 Apr 06

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8

CVE-2017-12615 HIGH POC
8.1 Sep 19

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this

CVE-2014-0050 HIGH POC
7.5 Apr 01

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,

CVE-2017-12616 HIGH
7.5 Sep 19

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or

CVE-2014-0227 MEDIUM
6.4 Feb 16

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and

CVE-2013-5528 MEDIUM POC
4.0 Oct 11

Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all

CVE-2016-6808 CRITICAL POC
9.8 Apr 12

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2016-1240 HIGH POC
7.8 Oct 03

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia

CVE-2016-5425 HIGH POC
7.8 Oct 13

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu

CVE-2022-22965 CRITICAL POC
9.8 Apr 01

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b

CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

Share

CVE-2026-59084 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy