Description
Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.
Published: 2026-06-29
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper Authentication in the EncryptionInterceptor of Apache Tomcat allows an attacker to replay previously captured encrypted cluster messages, thereby bypassing authentication and potentially gaining unauthorized access or escalating privileges within the cluster. This flaw is understood as a violation of proper authentication controls (CWE-287) and compromises the confidentiality and integrity of inter‑node communications.

Affected Systems

Affected Apache Tomcat versions range from 7.0.100 to 7.0.109, 8.5.38 to 8.5.100, 9.0.13 to 9.0.18, 10.1.0 to 10.1.55, and 11.0.0 to 11.0.22. The vulnerability resides in the cluster component’s EncryptionInterceptor.

Risk and Exploitability

The lack of replay protection means an attacker who can observe or inject traffic in a Tomcat cluster can replay an encrypted message to impersonate a legitimate node or client. While EPSS data is not available, the vulnerability is classified as an authentication bypass, a high‑risk flaw. The attack vector would involve network access to the cluster, and it would likely require the attacker to capture existing encrypted messages or forge them. The risk remains significant until patched, yet the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 29, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to version 11.0.23, 10.1.56, or 9.0.119 depending on the product line in use.
  • If an upgrade is not immediately possible, isolate the cluster from untrusted networks or temporarily disable the cluster component until the patch has been applied.
  • Verify that all inter‑node communications require fresh, validated authentication before processing messages, and consider implementing transport‑level security such as TLS to prevent replay.

Generated by OpenCVE AI on June 29, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.
Title Apache Tomcat: EncryptInterceptor not protected against replay attacks
Weaknesses CWE-287
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-29T22:24:33.117Z

Reserved: 2026-06-17T18:04:49.663Z

Link: CVE-2026-55955

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T22:30:05Z

Weaknesses