Description
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117.
Older, unsupported versions may also be affected.

Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Published: 2026-05-12
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unbounded memory allocation occurs during handling of WebDAV LOCK andPFIND requests in Apache Tomcat, a classic Allocation of Resources Without Limits or Throttling vulnerability (CWE-770). A hostile WebDAV request can cause the server to allocate excessive memory or perform disk I/O, exhausting resources and producing a denial of service for legitimate users. No confidentiality or integrity compromise is described.

Affected Systems

The flaw affects Tomcat 9.0.0.M1 through 9.0.117, 10.1.0.M1 through 10.1.54, and 11.0.0.M1 through 11.0.21. Older, unsupported releases may also be impacted. Administrators should verify the running Tomcat version against these ranges.

Risk and Exploitability

Based on the description, it is inferred that an attacker with access to the exposed WebDAV endpoints could trigger the resource exhaustion by sending LOCK or PROPFIND requests. The CVE entry does not specify whether authentication is required or whether the endpoint must be publicly reachable, so the exact exploitation pathway is not explicitly documented. No EPSS score is available, and the vulnerability is not listed in CISA KEV. The potential denial‑of‑service impact remains significant for any Tomcat deployment that enables WebDAV and has no preventative measures, making it a high‑risk concern in exposed environments.

Generated by OpenCVE AI on May 12, 2026 at 20:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to a release outside the affected ranges, such as 9.0.118, 10.1.55, or 11.0.22 and later.
  • If an upgrade is not immediately possible, disable the WebDAV component or remove the LOCK and PROPFIND methods from the server configuration so those endpoints are no longer reachable.
  • Configure Tomcat resource limits, including request size caps, thread pool limits, and connection timeouts, to mitigate the impact of an unbounded allocation when it occurs.

Generated by OpenCVE AI on May 12, 2026 at 20:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Tue, 12 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Title Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
Weaknesses CWE-770
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-12T17:40:56.383Z

Reserved: 2026-04-20T07:27:43.961Z

Link: CVE-2026-41284

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-12T16:16:15.933

Modified: 2026-05-12T18:17:22.457

Link: CVE-2026-41284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:30:23Z

Weaknesses