Skip to main content

Apache Tomcat EUVDEUVD-2026-29515

| CVE-2026-42498 HIGH
Information Exposure (CWE-200)
2026-05-12 apache GHSA-fv25-8xcx-gqjc
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 09:07 vuln.today
CVSS changed
May 13, 2026 - 16:22 NVD
7.3 (HIGH)
CVE Published
May 12, 2026 - 15:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 12, 2026 - 15:17 nvd
HIGH 7.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (2 direct, 0 indirect)
  • 2 maven packages depend on org.apache.tomcat:tomcat-catalina (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 10.1.0-M1 and other introduced versions.

DescriptionCVE.org

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.

AnalysisAI

Information disclosure in Apache Tomcat versions 7.0.83 through 11.0.21 exposes HTTP authentication headers to unintended hosts during WebSocket authentication handshakes, enabling credential leakage to third-party endpoints. The flaw carries a CVSS 7.3 score with partial confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Tomcat app making authenticated WebSocket calls
Delivery
Stand up attacker-controlled WebSocket host or redirector
Exploit
Induce vulnerable client to connect cross-host
Execution
Tomcat leaks HTTP Authorization header
Persist
Capture and replay credentials against original service
Impact
Access protected data or APIs

Vulnerability AssessmentAI

Exploitation Exploitation requires that a Tomcat-hosted application acts as a WebSocket client (or otherwise initiates an authenticated WebSocket handshake) and that the connection traverses or is redirected to a host different from the one for which the HTTP Authorization header was minted; the attacker must control or observe that unexpected destination host. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward moderate, opportunistic risk rather than priority-one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker controlling or able to influence a WebSocket endpoint that a Tomcat-based client is induced to connect to (for example via a redirect from a legitimate host or a misconfigured URL in a server-to-server integration) receives the victim's HTTP Authorization header, including any Basic or Bearer credentials intended for the original host. The attacker then replays the captured credentials against the legitimate service to access protected APIs. …
Remediation Vendor-released patches are available: upgrade to Apache Tomcat 11.0.22, 10.1.55, or 9.0.118 on the supported branches, as documented in the Apache advisory at https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb and mirrored at http://www.openwall.com/lists/oss-security/2026/05/12/14. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all Tomcat 7.0.83-11.0.21 instances; apply network restrictions or disable WebSocket services as interim protection. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Tomcat

View all
CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2026-33439 CRITICAL POC
9.3 Apr 07

Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbi

CVE-2016-20026 CRITICAL POC
9.3 Mar 15

Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unau

CVE-2026-29146 HIGH POC
7.5 Apr 09

Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7

CVE-2026-34486 HIGH POC
7.5 Apr 09

Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent t

CVE-2025-55752 HIGH POC
7.5 Oct 27

Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints

CVE-2025-41242 MEDIUM POC
5.9 Aug 18

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant

CVE-2025-11165 CRITICAL
9.9 Feb 24

Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.

CVE-2025-31651 CRITICAL
9.8 Apr 28

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (C

CVE-2026-45083 CRITICAL
9.8 May 13

Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote at

CVE-2026-43512 CRITICAL
9.8 May 12

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Ap

CVE-2026-41293 CRITICAL
9.8 May 12

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed

Share

EUVD-2026-29515 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy