Description
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
Published: 2026-06-29
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug resides in Tomcat’s RewriteValve where an OR chain of conditions is evaluated incorrectly; once the first OR condition matches, all following non-OR conditions are silently skipped. This incorrect control flow means the valve may accept and redirect or process requests that were supposed to be blocked or handled elsewhere, thereby violating the intended security logic of the web application. The flaw is a classic instance of a control flow error classified as CWE‐670.

Affected Systems

Apache Tomcat versions from 11.0.0‑M1 through 11.0.22, 10.1.0‑M1 through 10.1.55, 9.0.0.M1 through 9.0.118, and 8.5.0 through 8.5.100 are affected. Any other end‑of‑support releases that contain the original RewriteValve implementation may also be vulnerable.

Risk and Exploitability

The issue can be exploited by sending crafted HTTP requests that trigger the RewriteValve, requiring no authentication or privileged access. An attacker could manipulate how requests are routed, potentially accessing unintended resources or causing service disruptions. Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the current public knowledge suggests low to moderate exposure, but the logic flaw itself is severe; no direct remote code execution or credential escalation is stated in the description. The vulnerability is best addressed by applying the corrected Tomcat releases.

Generated by OpenCVE AI on June 29, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to the latest releases (11.0.23, 10.1.56, or 9.0.119) where the RewriteValve control flow bug has been fixed.
  • If an upgrade is not possible immediately, disable the RewriteValve mechanism for the affected applications to prevent unintended processing of requests.
  • Restrict access to the web applications that rely on RewriteValve and monitor HTTP traffic for anomalous redirect behaviour to ensure that no residual unauthorized routing occurs.

Generated by OpenCVE AI on June 29, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
Title Apache Tomcat: Bad ornext processing in RewriteValve
Weaknesses CWE-670
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-29T22:24:25.256Z

Reserved: 2026-06-09T08:52:02.309Z

Link: CVE-2026-53404

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T22:30:05Z

Weaknesses
  • CWE-670

    Always-Incorrect Control Flow Implementation