SB2026063007 - Multiple vulnerabilities in Apache Tomcat
Published: June 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-55956)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security constraints.
The vulnerability exists due to improper access control in the default servlet when processing requests subject to configured security constraints with method or method omission settings. A remote attacker can send a crafted request using an ignored method to bypass security constraints.
2) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-55955)
CWE-ID: CWE-294 - Authentication Bypass by Capture-replay
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to replay protected communications.
The vulnerability exists due to missing replay protection in EncryptInterceptor when processing encrypted messages. A remote attacker can capture and resend previously valid messages to replay protected communications.
3) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-55276)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to obtain incomplete security configuration information.
The vulnerability exists due to logic errors in effective web.xml generation in the logged effective web.xml output when generating configuration logs. A local user can review the logged output to obtain incomplete security configuration information.
Special roles and empty authorization constraints are omitted from the logged effective web.xml.
4) Improper Certificate Validation (CVE-ID: CVE-2026-53434)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to authenticate with an invalid certificate.
The vulnerability exists due to improper certificate revocation validation in the FFM Connector when handling connections with invalid CRL configuration. A remote attacker can present an invalid certificate to authenticate with an invalid certificate.
Only configurations using the FFM Connector with invalid CRLs are affected.
5) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-53404)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass rewrite conditions.
The vulnerability exists due to logic errors in RewriteValve when processing requests against OR-chained rewrite conditions. A remote attacker can send a request that matches the first OR condition to bypass rewrite conditions.
Exploitation requires a rule set that uses an OR chain followed by non-OR conditions.
6) Cross-site scripting (CVE-ID: CVE-2026-50229)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to execute cross-site scripting.
The vulnerability exists due to cross-site scripting in the number guess example when using wild card property mapping that exposes internal properties to clients. A remote attacker can supply crafted input that is reflected through exposed properties to execute cross-site scripting.
The issue is limited to the number guess example application.
Remediation
Install update from vendor's website.
References
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.56
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.23
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.119
- https://github.com/apache/tomcat/commit/9c3b1efb74fd04f77639720af1d48a8f664ad9bb
- https://github.com/apache/tomcat/commit/3a9ff01d2dfaca651edacbda3260e37b98b540d3
- https://github.com/apache/tomcat/commit/25677f90fd721c26ef0f613d34ef8275b1aafc31
- https://github.com/apache/tomcat/commit/feec60d6099727db6f911534f6a0f6926ebab070
- https://github.com/apache/tomcat/commit/bbb6219fa5ac185060bef7842cee5fb90230ca00
- https://github.com/apache/tomcat/commit/0d5bdd5b0dd964e9f73e530b7d753462b9bfd1d0