Description
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.
Other, unsupported versions may also be affected

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
Published: 2026-04-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Immediate Patch
AI Analysis

Impact

A flaw in Apache Tomcat's LoadBalancerDrainingValve permits an attacker to cause the server to redirect HTTP requests to arbitrary URLs. The vulnerability can be exploited by supplying a crafted query string that instructs the valve to forward the request to an untrusted domain, leading to phishing or malicious content. This falls under CWE-601, an open redirect weakness that primarily jeopardizes user trust and can assist in credential theft or drive‑by attacks.

Affected Systems

The issue spans multiple Tomcat releases. Users running Apache Tomcat 11.x from 11.0.0-M1 through 11.0.18, 10.x from 10.1.0-M1 through 10.1.52, 9.x from 9.0.0.M23 through 9.0.115, and 8.5.x from 8.5.30 through 8.5.100 are affected. Unsupported or older versions may also be vulnerable. The official recommendation is to upgrade to 11.0.20, 10.1.53, or 9.0.116 where the issue is resolved.

Risk and Exploitability

The CVSS score is not provided and EPSS data is missing, indicating no current exploitation evidence, while the vulnerability is absent from the CISA KEV list. Nevertheless, because open redirects are a common manipulation vector, the risk is considered moderate until mitigated. Attackers would need network access to the Tomcat instance and to trigger the LoadBalancerDrainingValve, typically via a crafted HTTP request. After exploitation, the redirect can lure users to malicious destinations, potentially enabling phishing, credential theft, or malware delivery.

Generated by OpenCVE AI on April 9, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to the patched release (11.0.20, 10.1.53, or 9.0.116).
  • If an upgrade is infeasible, remove or disable the LoadBalancerDrainingValve in server.xml or context.xml to block future redirects.
  • Review and restrict any incoming parameters that could influence redirects.
  • Monitor web server logs for unexpected redirect patterns and validate user traffic.
  • Keep Tomcat and associated components up to date and apply security patches promptly.

Generated by OpenCVE AI on April 9, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

threat_severity

Low

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Fri, 10 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
Title Apache Tomcat: Occasionally open redirect
Weaknesses CWE-601
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T18:22:34.359Z

Reserved: 2026-02-06T16:25:11.569Z

Link: CVE-2026-25854

cve-icon Vulnrichment

Updated: 2026-04-09T23:15:47.041Z

cve-icon NVD

Status : Received

Published: 2026-04-09T20:16:24.207

Modified: 2026-04-10T19:16:21.237

Link: CVE-2026-25854

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-09T19:13:13Z

Links: CVE-2026-25854 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:44Z

Weaknesses