A flaw in Apache Tomcat causes the HTTP authentication header to be sent to unexpected hosts during WebSocket handshakes, exposing credentials that should remain confidential. The vulnerability is a classic example of Sensitive Data Exposure (CWE-200) and enables an attacker to obtain the raw authentication header, effectively compromising user identities and allowing further unauthorized access.

Products impacted are Apache Tomcat versions 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.2 through 9.0.117, 8.5.24 through 8.5.100, and 7.0.83 through 7.0.109. The affected vendor is the Apache Software Foundation.

The CVSS score of 7.3 indicates a high severity, and the EPSS score of less than 1% suggests a low but nonzero probability of exploitation. This vulnerability is not listed in the CISA KEV catalog, indicating no widespread public exploitation yet. The likely attack vector is a remote WebSocket handshake initiated by an attacker who can convince a legitimate client or server to perform the vulnerable authentication flow. Because the authentication header is exposed to an unintended host, the attacker could capture credentials and use them to impersonate a legitimate user. Given the high CVSS score and the potential for credential compromise, the risk remains significant.