Description
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.
Other, unsupported versions may also be affected

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
Published: 2026-04-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Patch
AI Analysis

Impact

Apache Tomcat may send a response that redirects a client to an arbitrary URL when a request with certain parameters is processed by the LoadBalancerDrainingValve. This open redirect behavior can be exploited by an attacker to send unsuspecting users to a malicious destination, which can lead to phishing, credential theft or drive‑by attacks. The weakness is a form of redirect manipulation and is classified as CWE‑601.

Affected Systems

Apache Tomcat versions from 8.5.30 through 8.5.100, 9.0.0.M23 through 9.0.115, 10.1.0-M1 through 10.1.52, and 11.0.0-M1 through 11.0.18 are affected. Any older or unsupported releases may also be vulnerable.

Risk and Exploitability

The CVSS base score is 6.1, indicating a moderate severity. The EPSS score is less than 1 %, implying a low probability of exploit, and the vulnerability is not listed by CISA as a known exploited vulnerability. Exploitation would require sending a crafted HTTP request to the Tomcat instance possessing the LoadBalancerDrainingValve; the redirect is not automatically triggered but occurs only under specific request conditions.

Generated by OpenCVE AI on April 14, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to at least 11.0.20, 10.1.53, or 9.0.116, which contain the fix for the LoadBalancerDrainingValve redirect issue.
  • If upgrading is not immediately possible, disable or remove the LoadBalancerDrainingValve component until a patch is applied.
  • Validate and sanitize all redirect URLs in your application logic to prevent accidental redirects to untrusted sites.
  • Keep Tomcat and related components up to date and monitor security advisories for future updates.

Generated by OpenCVE AI on April 14, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9m3c-qcxr-9x87 Apache Tomcat has an Open Redirect vulnerability
History

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

threat_severity

Low

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Fri, 10 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
Title Apache Tomcat: Occasionally open redirect
Weaknesses CWE-601
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T18:22:34.359Z

Reserved: 2026-02-06T16:25:11.569Z

Link: CVE-2026-25854

cve-icon Vulnrichment

Updated: 2026-04-09T23:15:47.041Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:24.207

Modified: 2026-04-14T14:01:07.417

Link: CVE-2026-25854

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-09T19:13:13Z

Links: CVE-2026-25854 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:54Z

Weaknesses