Improper access control in Apache Tomcat - CVE-2026-55956
Published: June 30, 2026
Vulnerability identifier: #VU135862
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-55956
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Tomcat
Apache Tomcat
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass security constraints.
The vulnerability exists due to improper access control in the default servlet when processing requests subject to configured security constraints with method or method omission settings. A remote attacker can send a crafted request using an ignored method to bypass security constraints.
How to mitigate CVE-2026-55956
Install security update from vendor's website.
Sources
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.56
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.23
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.119
- https://github.com/apache/tomcat/commit/9c3b1efb74fd04f77639720af1d48a8f664ad9bb