CVE-2026-24733 — Improper Input Validation in Apache Tomcat

CWE-20 — Improper Input Validation9 documents8 sources

Severity

3.7LOWNVD

EPSS

0.2%

top 59.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Apache Software Foundation Apache Tomcat

Timeline

PublishedFeb 17

Latest updateFeb 18

Description

Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affec…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages2 packages

▶NVDapache/tomcat9.0.1 — 9.0.113+5

▶CVEListV5apache_software_foundation/apache_tomcat11.0.0-M1 — 11.0.14+3

🔴Vulnerability Details

GHSA

Apache Tomcat - Security constraint bypass with HTTP/0.9↗2026-02-17

▶

OSV

CVE-2026-24733: Improper Input Validation vulnerability in Apache Tomcat↗2026-02-17

▶

CVEList

Apache Tomcat: Security constraint bypass with HTTP/0.9↗2026-02-17

▶

OSV

Apache Tomcat - Security constraint bypass with HTTP/0.9↗2026-02-17

▶

📋Vendor Advisories

Red Hat

tomcat: security constraint bypass with HTTP/0.9↗2026-02-17

▶

Debian

CVE-2026-24733: tomcat10 - Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24733 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-24733 tomcat: security constraint bypass with HTTP/0.9 [fedora-all]↗2026-02-18

▶