top of page

Security advisory: Two new Apache Tomcat vulnerabilities threaten network security

The Apache Software Foundation (ASF) has recently identified and disclosed two notable security vulnerabilities within Apache Tomcat, a widely used web server component. These vulnerabilities could allow malicious actors to bypass access controls and authentication mechanisms, resulting in unauthorized access to highly secured web applications.

Vulnerability CVE-2026-55957: Security constraint bypass risk

The first vulnerability, tracked as CVE-2026-55957, is classified in the high-severity category. This issue affects Tomcat's JNDIRealm component when the system is configured with a GSSAPI authenticated bind.

The root cause stems from the system incorrectly enforcing security rules on the "default servlet" (the component handling default requests). Consequently, HTTP methods defined or omitted within the access rules are silently ignored by the system.

As a result, attackers can easily evade existing restrictions and directly access critical resources without undergoing full authentication. This poses a significant threat to any system operating under this specific configuration.

  • Affected versions:

    • Apache Tomcat version 11.0.x (prior to 11.0.5)

    • Apache Tomcat version 10.1.x (prior to 10.1.37)

    • Apache Tomcat version 9.0.x (prior to 9.0.101)

Recommendation: Users should promptly upgrade to Tomcat versions 11.0.5, 10.1.37, or 9.0.101 and above to mitigate this risk.

Vulnerability CVE-2026-5596: A multi-version flaw

The second flaw, tracked as CVE-2026-5596, is rated as a medium-severity vulnerability. Similar to CVE-2026-55957, it originates from the failure of security constraints applied to the default servlet to properly execute for configured or excluded HTTP methods.

Although classified with a lower severity level than the first vulnerability, CVE-2026-5596 impacts a broader range across multiple generations of Tomcat versions. This indicates that the system flaw silently persisted through numerous software release cycles before being detected.

  • Affected versions:

    • Apache Tomcat version 11.0.x (prior to 11.0.23)

    • Apache Tomcat version 10.1.x (prior to 10.1.56)

    • Apache Tomcat version 9.0.x (prior to 9.0.119)

Recommendation: Developers advise users to update to Tomcat versions 11.0.23, 10.1.56, or 9.0.119 and above.

How the vulnerabilities work and their associated risks

The crux of both security flaws lies in how Apache Tomcat handles security constraint definitions (<security-constraint>) for the default servlet.

Apache Tomcat handles security constraint definitions (<security-constraint>) for the default servlet
Apache Tomcat handles security constraint definitions (<security-constraint>) for the default servlet

In practice, when administrators restrict access to specific HTTP methods - such as blocking modification or deletion commands (PUT or DELETE) while allowing standard data viewing (GET) - Tomcat's request-matching algorithm behaves inconsistently. The system fails to uniformly honor these method-level restrictions.

This means endpoints that appear to be tightly secured by HTTP method blocking rules can still be accessed via unconstrained methods. Consequently, attackers can exploit this loophole to infiltrate internal networks or gain full control over the system.

Mitigation and emergency response measures

For organizations operating affected Tomcat versions, installing the latest patches is a top priority. This action is particularly urgent for:

  • Systems where the default servlet is responsible for handling sensitive content.

  • Systems using JNDIRealm combined with GSSAPI bind for LDAP-based authentication.

The Apache Software Foundation emphasizes that there are no workarounds or alternative measures other than a software upgrade. Upgrading to the patched versions is the only and safest path to eliminate the risk.

Additionally, once the upgrade process is complete, administrators should proactively review the security constraints within their current web.xml file. This step ensures that access control mechanisms are functioning precisely as intended.

The emergence of these vulnerabilities in Apache Tomcat serves as a critical reminder for system administrators to audit their information security posture. To comprehensively protect web applications and internal data from unauthorized intrusion, proactively updating to the latest version recommended by the developer is the most optimal and reliable solution at this time.

Comments


follow ipsip vietnam.png
40051abd5a76713af8f015988fc6780e-blue-phone-icon-with-a-wave-on-it.webp
whatsapp-mobile-software-icon-png-image_6315991.png
pngtree-minimal-calendar-icon-vector-png-image_21233134.png
IPSIP logo transparent.png

IPSIP VIETNAM ONE MEMBER LIMITED LIABILITY COMPANY (IPSIP VIETNAM OMLLC)

Tax code: 0313859600

🏢 SH05.01, B4 Street, Saritown Area, An Khanh Ward, Ho Chi Minh City, Vietnam

​☎  +84 918 397 489

  • Linkedin
  • Facebook
  • TikTok
  • Email liên hệ
png-clipart-iso-iec-27001-information-security-management-iso-iec-27002-international-orga
soc 2 type ii

Our Services

Sign up to receive in-depth cybersecurity documents and news from IPSIP Vietnam.

bottom of page