Description
Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Older unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Published: 2026-05-12
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In LockOutRealm, user names are treated case‑sensitively, which constitutes a CWE‑178 vulnerability and deviates from typical authentication behavior. When a user logs in with a name differing only in case, the system may accept it as a distinct account or fail to reject an already locked account properly. This flaw can allow an attacker to bypass account lockout policies or create duplicate user identities, thereby compromising authentication integrity.

Affected Systems

Apache Tomcat supplied by Apache Software Foundation is impacted across multiple major branches: tomcat 11 from 11.0.0‑M1 to 11.0.21, 10.1 from 10.1.0‑M1 to 10.1.54, 9.0 from 9.0.0.M1 to 9.0.117, 8.5 from 8.5.0 to 8.5.100, and 7.0 from 7.0.0 to 7.0.109. Unsupported older releases may also be affected.

Risk and Exploitability

The CVSS score and EPSS are not provided, and the vulnerability is not listed in the CISA known exploited vulnerabilities catalog. Without an explicit public exploit, the probability of immediate exploitation remains unclear, but attackers able to manipulate case in usernames could gain unauthorized access or weaken locking mechanisms. The likely attack vector is via the application’s login interface; no elevated privileges or remote code execution are reported.

Generated by OpenCVE AI on May 12, 2026 at 17:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to 11.0.22, 10.1.55, or 9.0.118 to apply the official fix that normalizes username case handling.
  • If a custom LockOutRealm implementation is in use, disable it or update it to match the patched behavior before upgrading.
  • Review authentication logs for suspicious login patterns that might indicate exploitation attempts and enforce stricter lockout policies.

Generated by OpenCVE AI on May 12, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Tue, 12 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Title Apache Tomcat: LockOutRealm treats user names as case-sensitive
Weaknesses CWE-178
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-12T17:41:00.529Z

Reserved: 2026-05-01T16:21:04.703Z

Link: CVE-2026-43513

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-12T16:16:18.177

Modified: 2026-05-12T18:17:26.980

Link: CVE-2026-43513

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T19:00:18Z

Weaknesses