Description
Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Older unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Published: 2026-05-12
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Tomcat implements an AJP connector that requires a secret for client authentication. In affected releases, the comparison of this secret uses a non‑constant‑time algorithm, creating measurable timing differences. The vulnerability is classified as CWE‑208. An attacker who can observe response times can iteratively deduce the correct secret value. With the secret, the attacker can acquire an authenticated AJP session and obtain the same privileges as the Tomcat service, potentially compromising the web application and the underlying host.

Affected Systems

Apache Tomcat versions from 7.0.0 through 7.0.109, 8.5.0 through 8.5.100, 9.0.0.M1 through 9.0.117, 10.1.0-M1 through 10.1.54, and 11.0.0-M1 through 11.0.21 are affected. Older unsupported releases may also be vulnerable.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity, and the EPSS score of < 1% suggests a very low probability of exploitation. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack vector is over the network, targeting the AJP port (default 8009). Once the secret is guessed, the attacker can bypass authentication and execute commands in the context of the Tomcat service, potentially leading to full system compromise. The risk is higher when the AJP port is exposed to untrusted hosts.

Generated by OpenCVE AI on May 13, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to a patched release: 11.0.22 or later, 10.1.55 or later, or 9.0.118 or later.
  • If an upgrade is not immediately possible, disable the AJP connector in server.xml or remove it entirely to eliminate the attack surface.
  • Block inbound traffic to the AJP port (default 8009) with a firewall so that only trusted hosts can reach it while the upgrade is pending.

Generated by OpenCVE AI on May 13, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4619-1 tomcat9 security update
Github GHSA Github GHSA GHSA-9m89-8frq-c98c Apache Tomcat - AJP secret compared in non-constant time
History

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 12 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Title Apache Tomcat: AJP secret compared in non-constant time
Weaknesses CWE-208
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-13T17:22:42.246Z

Reserved: 2026-05-01T16:22:01.182Z

Link: CVE-2026-43514

cve-icon Vulnrichment

Updated: 2026-05-12T17:41:01.502Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T16:16:18.370

Modified: 2026-05-14T18:46:41.457

Link: CVE-2026-43514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T21:15:04Z

Weaknesses