Description
Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
Published: 2026-06-29
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper Authorization in Apache Tomcat causes security constraints defined for the default servlet to be ignored, regardless of the HTTP method specified. This omission enables an attacker to access resources protected by these constraints, effectively bypassing authentication or role checks governed by the servlet’s configuration. The failure aligns with CWE‑285, Unauthorized Access, and can compromise the confidentiality or integrity of any data served through the default servlet.

Affected Systems

The issue affects multiple major releases of Apache Tomcat: from 11.0.0‑M1 through 11.0.22, from 10.1.0‑M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, and from 7.0.0 through 7.0.109. Versions that have reached end of support may also be impacted.

Risk and Exploitability

The CVSS score is not provided, and EPSS data is unavailable, so the quantified risk is unknown, but the vulnerability enables direct authorization bypass. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, as an external user can send HTTP requests to the affected servlet to trigger the constraint bypass. The lack of EPSS data does not preclude exploitation; the nature of the flaw suggests a plausible exploitation path for anyone who can send traffic to the application.

Generated by OpenCVE AI on June 29, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to a fixed version (Tomcat 11.0.23, 10.1.56, 9.0.119, or newer).
  • Verify that the default servlet configuration has not been overridden to use insecure method restrictions.
  • If upgrading is not immediately possible, restrict access to the default servlet by configuring appropriate security constraints or disabling the default servlet entirely.

Generated by OpenCVE AI on June 29, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
Title Apache Tomcat: Security constraints for default servlet ignored method
Weaknesses CWE-285
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-29T22:24:34.042Z

Reserved: 2026-06-17T18:36:32.030Z

Link: CVE-2026-55956

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T22:30:05Z

Weaknesses