Description
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.
Published: 2026-06-29
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw stems from an always‑incorrect control flow in Apache Tomcat that causes the logged effective web.xml to omit special roles and empty authorization constraints. The missing data can reveal sensitive configuration details about web application access controls, potentially allowing an attacker who obtains the logs to gain insight into application security posture.

Affected Systems

Apache Software Foundation:Apache Tomcat versions 8.5.0 through 8.5.100, 9.0.0.M1 through 9.0.118, 10.1.0-M1 through 10.1.55, and 11.0.0-M1 through 11.0.22 are impacted. Unsupported or end‑of‑support releases may also be vulnerable.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in KEV. Without a publication of a CVSS score, the severity is unclear, but the nature of the issue suggests a moderate risk. Exploitation would likely require the attacker to read the Tomcat logs, which might be restricted to the operating‑system user running the server or to privileged users. If logs are exfiltrated or read locally, the attacker could learn unauthorized configuration details.

Generated by OpenCVE AI on June 29, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to the latest patched release (11.0.23, 10.1.56, or 9.0.119).
  • Restrict file permissions on Tomcat log files so that only trusted users or processes can read them.
  • Monitor log files for anomalous access patterns to detect potential compromise early.

Generated by OpenCVE AI on June 29, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.
Title Apache Tomcat: Logged effective web.xml is incomplete
Weaknesses CWE-670
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-29T22:24:32.168Z

Reserved: 2026-06-16T17:40:51.153Z

Link: CVE-2026-55276

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T22:30:05Z

Weaknesses
  • CWE-670

    Always-Incorrect Control Flow Implementation