SB2026051281 - Multiple vulnerabilities in Apache Tomcat

Description

This security bulletin contains information about 7 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-43515)

The vulnerability allows a remote attacker to bypass security constraints.

The vulnerability exists due to improper access control in HTTP method constraint processing when evaluating multiple security constraints for the same extension pattern. A remote attacker can send a request using an improperly constrained HTTP method to bypass security constraints.

2) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-43514)

The vulnerability allows a remote attacker to disclose the AJP secret.

The vulnerability exists due to observable timing discrepancy in AJP secret comparison when validating the AJP secret. A remote attacker can perform a timing attack to disclose the AJP secret.

Exploitation is limited to an attacker on the local network.

3) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-43513)

The vulnerability allows a remote attacker to weaken brute-force protection against a user's password.

The vulnerability exists due to improper input handling in LockOutRealm when processing case-insensitive user names. A remote attacker can vary the case of a user name during authentication attempts to weaken brute-force protection against a user's password.

This affects Realms where user names are treated as case insensitive.

4) Improper Authentication (CVE-ID: CVE-2026-43512)

The vulnerability allows a remote attacker to authenticate as an unknown user.

The vulnerability exists due to improper authentication in the DIGEST authenticator when processing authentication for users not known to the configured Realm. A remote attacker can submit the password "null" for an unknown user to authenticate as an unknown user.

This occurs only when DIGEST authentication is configured.

5) Information disclosure (CVE-ID: CVE-2026-42498)

The vulnerability allows a remote user to disclose authentication headers to a redirect target host.

The vulnerability exists due to exposure of sensitive information in Tomcat's WebSocket client when following a redirected WebSocket request after authentication. A remote user can trigger a redirect after authentication to disclose authentication headers to a redirect target host.

The issue occurs only if a WebSocket request is redirected after authentication.

6) Input validation error (CVE-ID: CVE-2026-41293)

The vulnerability allows a remote attacker to trigger unexpected application behavior.

The vulnerability exists due to improper input validation in HTTP/2 request header handling when exposing header values through the Servlet API. A remote attacker can send crafted HTTP/2 request headers to trigger unexpected application behavior.

This may affect applications that assume header values exposed through the Servlet API are specification compliant.

7) Resource exhaustion (CVE-ID: CVE-2026-41284)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in WebDAV LOCK and PROPFIND handling when processing request bodies. A remote attacker can send a large request body to cause a denial of service.

The affected requests are available to unauthenticated users.

Remediation

Install update from vendor's website.

References

• https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.22
• https://github.com/apache/tomcat/commit/276087d9c7abbcecc6c4fb4e4b08cf64780c6e36
• https://github.com/apache/tomcat/commit/d35d9d23263c8e4af561f615c960c91697ff200e
• https://github.com/apache/tomcat/commit/83f3e51df7b87f5f6e626951c575ded1a512e8ef
• https://github.com/apache/tomcat/commit/a99c355e8199adbfd67c9a1fffbd85b810b196cd
• https://github.com/apache/tomcat/commit/b7b173694d588ddcfa432f079baf763cbbbaa5c4
• https://github.com/apache/tomcat/commit/e5cef9618c3f4fd31bd6fb1e83f0f18022280dac
• https://github.com/apache/tomcat/commit/a96fffd18487a29c0a30d36f00cb2b2d91f6d42c