Description
Improper Input Validation vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.
Older, end of support versions may also be affected.

Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Published: 2026-05-12
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Tomcat contains an improper validation of HTTP/2 request headers that allows a client to send malformed or unexpected header data. The CVE description does not specify a particular downstream effect.

Affected Systems

This issue affects every Apache Tomcat installation running any of the following release ranges: 11.0.0-M1 to 11.0.21, 10.1.0-M1 to 10.1.54, 9.0.0.M1 to 9.0.117, and 10.0.0-M1 to 10.0.27. Older, end‑of‑support releases that contain the same code base may also be susceptible.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS estimate of <1% reflects a low probability of current public exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves a remote client establishing an HTTP/2 connection to the Tomcat server and sending crafted header data to trigger the flaw. No publicly documented exploits exist at this time.

Generated by OpenCVE AI on May 14, 2026 at 23:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to the latest fixed release; follow vendor instructions for migration and patch deployment.
  • If an upgrade is not yet possible, temporarily disable the HTTP/2 protocol on the affected Tomcat instances to block malformed header traffic.
  • Monitor Tomcat access logs for unusually large or malformed HTTP/2 header entries and enforce additional firewall or WAF rules to contain potential exploitation attempts.

Generated by OpenCVE AI on May 14, 2026 at 23:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Thu, 14 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Tue, 12 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Title Apache Tomcat: HTTP/2 request headers not validated
Weaknesses CWE-20
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-14T19:54:07.534Z

Reserved: 2026-04-20T10:26:28.623Z

Link: CVE-2026-41293

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T16:16:17.553

Modified: 2026-05-15T15:57:18.900

Link: CVE-2026-41293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T00:00:06Z

Weaknesses