{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24733", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-01-26T13:59:00.422Z", "datePublished": "2026-02-17T18:50:43.871Z", "dateUpdated": "2026-03-11T15:19:30.867Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.14", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.49", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.112", "status": "affected", "version": "9.0.0.M1", "versionType": "semver"}, {"lessThanOrEqual": "8.5.100", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Input Validation vulnerability in Apache Tomcat.<br></p><p>Tomcat did not limit HTTP/0.9 requests to the GET method. If a security \nconstraint was configured to allow HEAD requests to a URI but deny GET \nrequests, the user could bypass that constraint on GET requests by \nsending a (specification invalid) HEAD request using HTTP/0.9.<br></p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.<br></p><p>Older, EOL versions are also affected.</p><p>Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.</p>"}], "value": "Improper Input Validation vulnerability in Apache Tomcat.\n\n\nTomcat did not limit HTTP/0.9 requests to the GET method. If a security \nconstraint was configured to allow HEAD requests to a URI but deny GET \nrequests, the user could bypass that constraint on GET requests by \nsending a (specification invalid) HEAD request using HTTP/0.9.\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.\n\n\nOlder, EOL versions are also affected.\n\nUsers are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-17T18:50:43.871Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f"}], "source": {"discovery": "INTERNAL"}, "title": "Apache Tomcat: Security constraint bypass with HTTP/0.9", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24733", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-21T21:16:58.680222Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:19:30.867Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24733", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-21T21:16:58.680222Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:21:07.940Z"}}], "cna": {"title": "Apache Tomcat: Security constraint bypass with HTTP/0.9", "source": {"discovery": "INTERNAL"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M1", "versionType": "semver", "lessThanOrEqual": "11.0.14"}, {"status": "affected", "version": "10.1.0-M1", "versionType": "semver", "lessThanOrEqual": "10.1.49"}, {"status": "affected", "version": "9.0.0.M1", "versionType": "semver", "lessThanOrEqual": "9.0.112"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.5.100"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in Apache Tomcat.\n\n\nTomcat did not limit HTTP/0.9 requests to the GET method. If a security \nconstraint was configured to allow HEAD requests to a URI but deny GET \nrequests, the user could bypass that constraint on GET requests by \nsending a (specification invalid) HEAD request using HTTP/0.9.\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.\n\n\nOlder, EOL versions are also affected.\n\nUsers are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Input Validation vulnerability in Apache Tomcat.<br></p><p>Tomcat did not limit HTTP/0.9 requests to the GET method. If a security \nconstraint was configured to allow HEAD requests to a URI but deny GET \nrequests, the user could bypass that constraint on GET requests by \nsending a (specification invalid) HEAD request using HTTP/0.9.<br></p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.<br></p><p>Older, EOL versions are also affected.</p><p>Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-17T18:50:43.871Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24733", "state": "PUBLISHED", "dateUpdated": "2026-03-11T15:19:30.867Z", "dateReserved": "2026-01-26T13:59:00.422Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-02-17T18:50:43.871Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "B76D20D5-8512-40CD-8B59-B0D4FBFBE7F3", "versionEndExcluding": "9.0.113", "versionStartIncluding": "9.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A9BCC2E-EB49-4C74-B150-564AEDE6D8BB", "versionEndExcluding": "10.1.50", "versionStartIncluding": "10.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "9307BA8D-D3BD-41B0-89F3-124704B7EA6A", "versionEndExcluding": "11.0.15", "versionStartIncluding": "11.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*", "matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*", "matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*", "matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*", "matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*", "matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*", "matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*", "matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "90CD7E85-4FF9-4158-AC78-4BFCBC882A65", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "83B9FF07-1B93-4F8C-AC56-7CA74E61B724", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "7EA56B52-1015-40CD-B10C-393768094269", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "501B0D4A-D636-4736-979B-D5023599CEFB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "94E7764F-BF9E-463E-B446-A9A8DB92BB97", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "53A9F7EE-AF2A-43E5-B708-0198784AB45A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "AC872C5F-63AF-4BB8-8629-334FC9704AE8", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "94B95C95-DF3E-49C1-9CA0-4474DD7EF7B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "310B0163-01DE-40DA-A2EA-FFA4A6100037", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "75420449-A951-4133-A5F1-4C01F2DF843B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "D1AA7FF6-E8E7-4BF6-983E-0A99B0183008", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "57088BDD-A136-45EF-A8A1-2EBF79CEC2CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "B32D1D7A-A04F-444E-8F45-BB9A9E4B0199", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "0092FB35-3B00-484F-A24D-7828396A4FF6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "CB557E88-FA9D-4B69-AA6F-EAEE7F9B01AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "72D3C6F1-84FA-4F82-96C1-9A8DA1C1F30F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "3521C81B-37D9-48FC-9540-D0D333B9A4A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "02A84634-A8F2-4BA9-B9F3-BEF36AEC5480", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "ECBBC1F1-C86B-40AF-B740-A99F6B27682A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "9D2206B2-F3FF-43F2-B3E2-3CAAC64C691D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "0495A538-4102-40D0-A35C-0179CFD52A9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "77BA6600-0890-4BA1-B447-EC1746BAB4FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*", "matchCriteriaId": "7914D26B-CBD6-4846-9BD3-403708D69319", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*", "matchCriteriaId": "123C6285-03BE-49FC-B821-8BDB25D02863", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*", "matchCriteriaId": "8A28C2E2-B7BC-46CE-94E4-AE3EF172AA47", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*", "matchCriteriaId": "069B0D8E-8223-4C4E-A834-C6235D6C3450", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*", "matchCriteriaId": "E6282085-5716-4874-B0B0-180ECDEE128F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:*", "matchCriteriaId": "899B6FF0-8701-47E7-8EDA-428A6D48786D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "F1F981F5-035A-4EDD-8A9F-481EE8BC7FF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "03A171AF-2EC8-4422-912C-547CDB58CAAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "538E68C4-0BA4-495F-AEF8-4EF6EE7963CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "49350A6E-5E1D-45B2-A874-3B8601B3ADCC", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "5F50942F-DF54-46C0-8371-9A476DD3EEA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "D12C2C95-B79F-4AA4-8CE3-99A3EE7991AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "98792138-DD56-42DF-9612-3BDC65EEC117", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in Apache Tomcat.\n\n\nTomcat did not limit HTTP/0.9 requests to the GET method. If a security \nconstraint was configured to allow HEAD requests to a URI but deny GET \nrequests, the user could bypass that constraint on GET requests by \nsending a (specification invalid) HEAD request using HTTP/0.9.\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.\n\n\nOlder, EOL versions are also affected.\n\nUsers are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de entrada inadecuada en Apache Tomcat.\n\nTomcat no limitaba las solicitudes HTTP/0.9 al m\u00e9todo GET. Si una restricci\u00f3n de seguridad estaba configurada para permitir solicitudes HEAD a una URI pero denegar solicitudes GET, el usuario pod\u00eda eludir esa restricci\u00f3n en las solicitudes GET enviando una solicitud HEAD (inv\u00e1lida seg\u00fan la especificaci\u00f3n) usando HTTP/0.9.\n\nEste problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.14, desde 10.1.0-M1 hasta 10.1.49, desde 9.0.0.M1 hasta 9.0.112.\n\nLas versiones m\u00e1s antiguas, EOL, tambi\u00e9n est\u00e1n afectadas.\n\nSe recomienda a los usuarios actualizar a la versi\u00f3n 11.0.15 o posterior, 10.1.50 o posterior o 9.0.113 o posterior, lo que soluciona el problema."}], "id": "CVE-2026-24733", "lastModified": "2026-03-11T16:16:29.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-17T19:21:56.820", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "tomcat: security constraint bypass with HTTP/0.9", "id": "2440437", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440437"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-20", "details": ["A flaw was found in Tomcat. An improper input validation vulnerability allows an attacker to bypass security constraints. Specifically, if a security constraint is configured to permit HEAD requests to a URI but deny GET requests, a malformed or specification invalid HEAD request using the HTTP/0.9 protocol can bypass the intended denial rule, enabling an attacker to access resources that should be protected."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, ensure that security constraints are consistent across similar methods (e.g., if GET is denied, HEAD should likely be denied) or block HTTP/0.9 traffic via a reverse proxy or firewall, if it is not required."}, "name": "CVE-2026-24733", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-17T18:50:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24733\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24733\nhttps://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f"], "statement": "This flaw is only exploitable when Tomcat is configured to allow HEAD requests but deny GET requests to the same resource, a very unlikely configuration. Due to this reason, this flaw has been rated with a low severity.", "threat_severity": "Low"}

{"created": "2026-02-18T10:33:45.083253+00:00", "updated": "2026-02-18T10:33:45.083360+00:00", "vendors": ["apache", "apache$PRODUCT$tomcat", "apache_tomcat", "apache_tomcat$PRODUCT$apache_tomcat"]}