Description
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Published: 2026-05-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to exploit improperly enforced security constraints in Apache Tomcat. When multiple method constraints define an HTTP method for the same URL extension, the server may incorrectly apply one of those constraints, permitting unauthorized HTTP method execution. This incorrect application can lead to bypassing access controls and exposing resources that should be protected, potentially violating confidentiality and integrity of the application data.

Affected Systems

This flaw affects all Apache Tomcat releases from version 7.0.0 through 7.0.109, 8.5.0 through 8.5.100, 9.0.0.M1 through 9.0.117, 10.1.0-M1 through 10.1.54, and 11.0.0-M1 through 11.0.21. Administrators of any of these versions should review deployment configurations and verify which Tomcat instance is in use.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in CISA’s KEV catalog, but the data does not indicate a known public exploit. However, the flaw can be exploited remotely via HTTP requests that target conflicting method constraints, making it possible for an attacker to perform unauthorized actions without authentication. The CVSS score of 9.1 indicates a high severity, and the potential to bypass authorization warrants prompt remediation.

Generated by OpenCVE AI on May 14, 2026 at 22:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to the latest available versions 11.0.22, 10.1.55, or 9.0.118, which contain the fix.
  • Audit all deployed web.xml files and security constraint definitions to ensure that each URL pattern uses a single, consistent method constraint and that there are no conflicts.
  • Implement a temporary HTTP method block or access control rule that rejects or logs any method requests that are not explicitly allowed, until the server upgrade is completed.

Generated by OpenCVE AI on May 14, 2026 at 22:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5m62-pw8w-7w9f Apache Tomcat - Security constraints not correctly applied
History

Fri, 15 May 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Tue, 12 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 12 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Title Apache Tomcat: Security constraints not correctly applied
Weaknesses CWE-285
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-04T09:57:54.826Z

Reserved: 2026-05-01T16:24:01.021Z

Link: CVE-2026-43515

cve-icon Vulnrichment

Updated: 2026-05-12T17:41:02.585Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T16:16:18.553

Modified: 2026-05-15T15:52:05.177

Link: CVE-2026-43515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:45:31Z

Weaknesses