Description
Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.
Published: 2026-06-29
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authentication step in Apache Tomcat’s JNDIRealm allows an attacker to bind using GSSAPI without providing a valid password. This flaw results in the ability to gain authenticated access to the application, potentially exposing confidential data and allowing further attack development. The weakness is identified as CWE-304, an information exposure issue stemming from improper credential verification.

Affected Systems

Apache Tomcat versions from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, and from 7.0.0 through 7.0.109 are affected. These include all releases from Tomcat 7 to the latest 11.x.

Risk and Exploitability

The vulnerability is exploitable over the network once the JNDIRealm is configured to use GSSAPI authenticated binds, with the attacker able to impersonate any user without providing a password. No EPSS score is available, so the likelihood of exploitation is unknown, but the absence of a KEV listing suggests no known public exploits at the time of this analysis. Given the lack of a CVSS score, the potential impact depends on the environment; however, the flaw enables unauthenticated access to application resources, making it a serious security risk whenever the affected feature is enabled.

Generated by OpenCVE AI on June 29, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Tomcat 11.0.5, 10.1.37, or 9.0.101, whichever corresponds to your current major version, to receive the vendor fix.
  • If an immediate upgrade is not possible, reconfigure JNDIRealm to disable GSSAPI authenticated bind or switch to an alternative authentication mechanism.
  • Verify that JNDIRealm authentication is functioning correctly by attempting a legitimate bind after applying the change and monitor logs for unauthorized bind attempts.

Generated by OpenCVE AI on June 29, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.
Title Apache Tomcat: Authentication bypass with JNDIRealm and GSSAPI authenticated bind
Weaknesses CWE-304
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-29T22:24:34.997Z

Reserved: 2026-06-17T19:25:28.759Z

Link: CVE-2026-55957

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T22:30:05Z

Weaknesses
  • CWE-304

    Missing Critical Step in Authentication