Apache Tomcat
Monthly
Authentication bypass in Apache Tomcat (7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.100, 10.1.0-M1-10.1.36, 11.0.0-M1-11.0.4) lets remote attackers authenticate without supplying the correct password when the JNDIRealm is configured to validate credentials via GSSAPI bind. The flaw (CWE-304, Missing Critical Step in Authentication) means the realm accepts a bind as successful even when the password verification step is effectively skipped. There is no public exploit identified at time of analysis, EPSS risk is low (0.21%, 12th percentile), and it is not listed in CISA KEV.
Improper Authorization (CWE-285) in Apache Tomcat's default servlet allows HTTP method-based and method-omission security constraints to be silently bypassed across all major supported Tomcat branches from 7.0.x through 11.0.x. An attacker can perform HTTP operations - such as PUT or DELETE - that the web.xml security constraint configuration was intended to restrict, potentially enabling unauthorized file upload, modification, or deletion on the default servlet's served content. No active exploitation has been confirmed (not in CISA KEV) and no CVSS score has been published at time of analysis, but the broad version range and ubiquitous deployment footprint of Tomcat make prompt patching a priority.
Replay attack vulnerability in Apache Tomcat's cluster EncryptionInterceptor allows a network-adjacent attacker to retransmit previously captured encrypted inter-node cluster messages, causing receiving nodes to accept and process them as legitimate - potentially corrupting distributed session state or triggering unintended cluster actions. All major supported branches are affected: 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, plus end-of-life branches 8.5.38-8.5.100 and 7.0.100-7.0.109. No public exploit or CISA KEV listing has been identified at time of analysis; however, the breadth of affected versions across all active and legacy branches elevates organizational exposure, particularly for environments running EOL 8.5.x or 7.x with no available patch.
Incomplete security-constraint logging in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, 11.0.0-M1-11.0.22) omits special roles and empty authorization constraints when the effective web.xml is written to the log, giving administrators an inaccurate view of the deployed access-control configuration. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and CISA SSVC marks exploitation status as none, despite the inflated 9.1 CVSS published by Apache. The practical effect is misleading audit/diagnostic output rather than direct attacker compromise.
Improper handling of a Certificate Revocation List (CRL) error condition in Apache Tomcat's FFM-based (Foreign Function & Memory / OpenSSL) connector allows revoked client certificates to be accepted during mutual TLS authentication, defeating revocation checking. The flaw affects Tomcat 9.0.83-9.0.118, 10.1.0-M7-10.1.55, and 11.0.0-M1-11.0.22 when a CRL is configured on the FFM connector, letting an attacker holding a revoked-but-otherwise-valid client certificate reach protected resources. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, though the CVSS base score is 9.1 (CWE-390).
Access-control bypass in Apache Tomcat's RewriteValve (versions 8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, and 11.0.0-M1-11.0.22) arises because once the first condition in an OR (`[OR]`) chain matched, subsequent non-OR conditions were never evaluated. Where operators rely on chained rewrite conditions to gate or restrict requests, an attacker can satisfy only the first condition and have later guard conditions silently skipped, leading to information disclosure or unintended request routing. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Apache has released fixes in 11.0.23, 10.1.56, and 9.0.119.
Reflected XSS in Apache Tomcat's bundled 'number guess' example application exposes users of that demo page to script injection across all major Tomcat release lines from 7.0 through 11.0. The flaw resides in a sample JSP/servlet, not the core Tomcat runtime, meaning exploitation depends entirely on the example application being deployed and accessible - a configuration that violates standard production hardening guidance. No public exploit code or active exploitation has been identified at time of analysis; no CVSS vector was assigned by the reporter.
Timing side-channel in Apache Tomcat's AJP secret comparison exposes the shared AJP connector secret to remote, unauthenticated attackers capable of making precise network timing measurements. The vulnerability, tracked as CWE-208 (Observable Timing Discrepancy), affects all major Tomcat branches from 7.0.0 through current releases prior to the fixed versions, and could allow an attacker to recover the AJP shared secret through repeated probing. No public exploit code exists at time of analysis, EPSS is 0.02%, and CISA SSVC rates exploitation as none - making real-world risk low despite the network-accessible attack vector.
Information disclosure in Apache Tomcat versions 7.0.83 through 11.0.21 exposes HTTP authentication headers to unintended hosts during WebSocket authentication handshakes, enabling credential leakage to third-party endpoints. The flaw carries a CVSS 7.3 score with partial confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. EPSS probability is very low (0.03%) but SSVC marks the issue as automatable, indicating that scripted exploitation is feasible if attacker positioning is achieved.
Denial of service in Apache Tomcat 9.x, 10.1.x, and 11.0.x allows remote unauthenticated attackers to exhaust server resources due to missing limits or throttling on a resource allocation path (CWE-770). Affected versions span 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, and 9.0.0.M1 through 9.0.117, with older unsupported branches also implicated per the EUVD entry. No public exploit identified at time of analysis, and the EPSS score is very low (0.02%, 5th percentile), but the SSVC framework flags the issue as automatable with partial technical impact.
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent the EncryptInterceptor component, exposing sensitive data in cleartext. The vulnerability stems from an incomplete fix for CVE-2026-29146, enabling network-accessible adversaries to access confidential information without authentication. CVSS 7.5 (High severity) reflects network-based exploitation with low complexity and high confidentiality impact. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).
Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.115, 10.0.0-M1-10.1.52, and 11.0.0-M1-11.0.18 when default configuration is deployed. Unauthenticated remote attackers exploit oracle responses to decrypt sensitive information without authentication (CVSS:3.1 AV:N/AC:L/PR:N). CWE-209 (information exposure through error messages) enables cryptographic side-channel extraction. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%).
Authentication bypass in Apache Tomcat (7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.100, 10.1.0-M1-10.1.36, 11.0.0-M1-11.0.4) lets remote attackers authenticate without supplying the correct password when the JNDIRealm is configured to validate credentials via GSSAPI bind. The flaw (CWE-304, Missing Critical Step in Authentication) means the realm accepts a bind as successful even when the password verification step is effectively skipped. There is no public exploit identified at time of analysis, EPSS risk is low (0.21%, 12th percentile), and it is not listed in CISA KEV.
Improper Authorization (CWE-285) in Apache Tomcat's default servlet allows HTTP method-based and method-omission security constraints to be silently bypassed across all major supported Tomcat branches from 7.0.x through 11.0.x. An attacker can perform HTTP operations - such as PUT or DELETE - that the web.xml security constraint configuration was intended to restrict, potentially enabling unauthorized file upload, modification, or deletion on the default servlet's served content. No active exploitation has been confirmed (not in CISA KEV) and no CVSS score has been published at time of analysis, but the broad version range and ubiquitous deployment footprint of Tomcat make prompt patching a priority.
Replay attack vulnerability in Apache Tomcat's cluster EncryptionInterceptor allows a network-adjacent attacker to retransmit previously captured encrypted inter-node cluster messages, causing receiving nodes to accept and process them as legitimate - potentially corrupting distributed session state or triggering unintended cluster actions. All major supported branches are affected: 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, plus end-of-life branches 8.5.38-8.5.100 and 7.0.100-7.0.109. No public exploit or CISA KEV listing has been identified at time of analysis; however, the breadth of affected versions across all active and legacy branches elevates organizational exposure, particularly for environments running EOL 8.5.x or 7.x with no available patch.
Incomplete security-constraint logging in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, 11.0.0-M1-11.0.22) omits special roles and empty authorization constraints when the effective web.xml is written to the log, giving administrators an inaccurate view of the deployed access-control configuration. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and CISA SSVC marks exploitation status as none, despite the inflated 9.1 CVSS published by Apache. The practical effect is misleading audit/diagnostic output rather than direct attacker compromise.
Improper handling of a Certificate Revocation List (CRL) error condition in Apache Tomcat's FFM-based (Foreign Function & Memory / OpenSSL) connector allows revoked client certificates to be accepted during mutual TLS authentication, defeating revocation checking. The flaw affects Tomcat 9.0.83-9.0.118, 10.1.0-M7-10.1.55, and 11.0.0-M1-11.0.22 when a CRL is configured on the FFM connector, letting an attacker holding a revoked-but-otherwise-valid client certificate reach protected resources. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, though the CVSS base score is 9.1 (CWE-390).
Access-control bypass in Apache Tomcat's RewriteValve (versions 8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, and 11.0.0-M1-11.0.22) arises because once the first condition in an OR (`[OR]`) chain matched, subsequent non-OR conditions were never evaluated. Where operators rely on chained rewrite conditions to gate or restrict requests, an attacker can satisfy only the first condition and have later guard conditions silently skipped, leading to information disclosure or unintended request routing. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Apache has released fixes in 11.0.23, 10.1.56, and 9.0.119.
Reflected XSS in Apache Tomcat's bundled 'number guess' example application exposes users of that demo page to script injection across all major Tomcat release lines from 7.0 through 11.0. The flaw resides in a sample JSP/servlet, not the core Tomcat runtime, meaning exploitation depends entirely on the example application being deployed and accessible - a configuration that violates standard production hardening guidance. No public exploit code or active exploitation has been identified at time of analysis; no CVSS vector was assigned by the reporter.
Timing side-channel in Apache Tomcat's AJP secret comparison exposes the shared AJP connector secret to remote, unauthenticated attackers capable of making precise network timing measurements. The vulnerability, tracked as CWE-208 (Observable Timing Discrepancy), affects all major Tomcat branches from 7.0.0 through current releases prior to the fixed versions, and could allow an attacker to recover the AJP shared secret through repeated probing. No public exploit code exists at time of analysis, EPSS is 0.02%, and CISA SSVC rates exploitation as none - making real-world risk low despite the network-accessible attack vector.
Information disclosure in Apache Tomcat versions 7.0.83 through 11.0.21 exposes HTTP authentication headers to unintended hosts during WebSocket authentication handshakes, enabling credential leakage to third-party endpoints. The flaw carries a CVSS 7.3 score with partial confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. EPSS probability is very low (0.03%) but SSVC marks the issue as automatable, indicating that scripted exploitation is feasible if attacker positioning is achieved.
Denial of service in Apache Tomcat 9.x, 10.1.x, and 11.0.x allows remote unauthenticated attackers to exhaust server resources due to missing limits or throttling on a resource allocation path (CWE-770). Affected versions span 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, and 9.0.0.M1 through 9.0.117, with older unsupported branches also implicated per the EUVD entry. No public exploit identified at time of analysis, and the EPSS score is very low (0.02%, 5th percentile), but the SSVC framework flags the issue as automatable with partial technical impact.
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent the EncryptInterceptor component, exposing sensitive data in cleartext. The vulnerability stems from an incomplete fix for CVE-2026-29146, enabling network-accessible adversaries to access confidential information without authentication. CVSS 7.5 (High severity) reflects network-based exploitation with low complexity and high confidentiality impact. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).
Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.115, 10.0.0-M1-10.1.52, and 11.0.0-M1-11.0.18 when default configuration is deployed. Unauthenticated remote attackers exploit oracle responses to decrypt sensitive information without authentication (CVSS:3.1 AV:N/AC:L/PR:N). CWE-209 (information exposure through error messages) enables cryptographic side-channel extraction. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%).