CVE-2026-43512
published 2026-05-12CVE-2026-43512: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.23%
65.3th percentile
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.
Older unsupported versions any also be affect
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | >= 10.1.0 < 10.1.55 | 10.1.55 |
| apache | tomcat | >= 11.0.0 < 11.0.22 | 11.0.22 |
| apache | tomcat | 7.0.0 – 7.0.109 | — |
| apache | tomcat | 8.5.0 – 8.5.100 | — |
| apache | tomcat | >= 9.0.0 < 9.0.118 | 9.0.118 |
| apache_software_foundation | apache_tomcat | 10.1.0-M1 – 10.1.54 | — |
| apache_software_foundation | apache_tomcat | 11.0.0-M1 – 11.0.21 | — |
| apache_software_foundation | apache_tomcat | 7.0.0 – 7.0.109 | — |
| apache_software_foundation | apache_tomcat | 8.5.0 – 8.5.100 | — |
| apache_software_foundation | apache_tomcat | 9.0.0.M1 – 9.0.117 | — |
| debian | jss | — | — |
| devspaces | server-rhel9 | — | — |
| redhat-pki_10 | jss | — | — |
| ubuntu | tomcat10 | — | — |
| ubuntu | tomcat6 | — | — |
| ubuntu | tomcat7 | — | — |
| ubuntu | tomcat9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Any authentication attempt using the literal password 'null' against a Tomcat DIGEST-authenticated endpoint should be treated as a potential exploitation attempt of CVE-2026-43512. ↗
- →Focus detection on Apache Tomcat instances explicitly configured to use DIGEST authentication — these are the only affected configurations. Out-of-the-box/default Tomcat deployments are not vulnerable. ↗
- →Monitor Tomcat access logs for successful authentications by usernames that do not exist in the configured Realm, particularly against DIGEST-protected resources, as the bypass authenticates users unknown to the Realm. ↗
- ·Only Apache Tomcat instances explicitly configured to use DIGEST authentication are vulnerable. Default/out-of-the-box configurations are not affected. ↗
- ·Even if exploited, the bypassed (unknown) user is not mapped to any realm roles, so standard application authorization constraints still apply and limit the attacker's access. ↗
- ·Affected version ranges: 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and versions before 7.0.0. Older unsupported versions may also be affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Apache Tomcat up to 11.0.21 authentication bypass issues (Nessus ID 314335)
vuldb·2026-05-19·CVSS 9.8
CVE-2026-43512 [CRITICAL] Apache Tomcat up to 11.0.21 authentication bypass issues (Nessus ID 314335)
A vulnerability was found in Apache Tomcat up to 7.0.109/8.5.100/9.0.117/10.1.54/11.0.21. It has been declared as critical. This affects an unknown part. Such manipulation leads to authentication bypass issues.
This vulnerability is listed as CVE-2026-43512. The attack may be performed from remote. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
Apache Tomcat - Digest authenticator will authenticate any unknown user
ghsa·2026-05-12
CVE-2026-43512 [CRITICAL] CWE-287 Apache Tomcat - Digest authenticator will authenticate any unknown user
Apache Tomcat - Digest authenticator will authenticate any unknown user
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.21
Apache Tomcat 10.1.0-M1 to 10.1.54
Apache Tomcat 9.0.0.M1 to 9.0.117
Older, unsupported versions may also be affected
Description:
When DIGEST authentication was configured, any user not known to the
configured Realm would be authenticated if they presented the password
"null".
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.22 or later
- Upgrade to Apache Tomcat 10.1.55 or later
- Upgrade to Apache Tomcat 9.0.118 or later
GHSA
GHSA-h6fc-48rj-7qqh: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat
ghsa_unreviewed·2026-05-12
CVE-2026-43512 GHSA-h6fc-48rj-7qqh: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.
Older unsupported versions any also be affect
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2026-06-10·CVSS 7.5
CVE-2026-41284 [HIGH] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: Several security issues were fixed in Tomcat.
It was discovered that Tomcat did not properly limit the size of
WebDAV LOCK and PROPFIND request bodies. A remote attacker could
use this issue to cause Tomcat to consume excessive memory,
resulting in a denial of service. (CVE-2026-41284)
It was discovered that Tomcat incorrectly validated HTTP/2 header
fields. A remote attacker could use this issue to cause Tomcat to
crash or possibly execute arbitrary code. (CVE-2026-41293)
It was discovered that Tomcat did not properly clear HTTP
authentication headers during WebSocket connection upgrades and
redirects. A remote attacker could use this issue to obtain
sensitive credentials. (CVE-2026-42498)
It was discovered that Tomcat incorrectly handled digest
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 9.8
CVE-2026-43513 [CRITICAL] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: Several security issues were fixed in Tomcat.
It was discovered that Tomcat incorrectly handled digest
authentication. A remote attacker could possibly use this issue to
bypass authentication restrictions. (CVE-2026-43512)
It was discovered that Tomcat incorrectly handled case sensitivity
in LockOutRealm. A remote attacker could possibly use this issue to
bypass account lockout protections and obtain sensitive information.
(CVE-2026-43513)
It was discovered that Tomcat incorrectly handled authorization when
multiple method constraints defined the same HTTP method. A remote
attacker could possibly use this issue to bypass authorization
restrictions. (CVE-2026-43515)
Instructions: After a standard system update you need to restart Tomcat to make
al
Red Hat
tomcat-coyote: Apache Tomcat: Authentication bypass via digest authentication
vendor_redhat·2026-05-12·CVSS 9.8
CVE-2026-43512 [CRITICAL] CWE-303 tomcat-coyote: Apache Tomcat: Authentication bypass via digest authentication
tomcat-coyote: Apache Tomcat: Authentication bypass via digest authentication
A flaw was found in Apache Tomcat. When DIGEST authentication was configured, any user not known to the configured Realm would be authenticated if they presented the password "null". This allows a remote attacker to bypass security controls.
Statement: This Moderate flaw in Apache Tomcat allows an authentication bypass when DIGEST authentication is configured. An attacker can authenticate as any unknown user by providing the password 'null', potentially gaining unauthorized access to applications protected by DIGEST authentication. Red Hat products are only affected if they are configured to use DIGEST authentication, which is not a common, out of the box and expected configuration for Production environments.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-43512 jss: Apache Tomcat: Authentication bypass via digest authentication [fedora-all]
bugzilla·2026-05-27·CVSS 9.8
CVE-2026-43512 [CRITICAL] CVE-2026-43512 jss: Apache Tomcat: Authentication bypass via digest authentication [fedora-all]
CVE-2026-43512 jss: Apache Tomcat: Authentication bypass via digest authentication [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43512 mod_proxy_cluster: Apache Tomcat: Authentication bypass via digest authentication [fedora-all]
bugzilla·2026-05-27·CVSS 9.8
CVE-2026-43512 [CRITICAL] CVE-2026-43512 mod_proxy_cluster: Apache Tomcat: Authentication bypass via digest authentication [fedora-all]
CVE-2026-43512 mod_proxy_cluster: Apache Tomcat: Authentication bypass via digest authentication [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43512 mod_cluster: Apache Tomcat: Authentication bypass via digest authentication [fedora-all]
bugzilla·2026-05-27·CVSS 9.8
CVE-2026-43512 [CRITICAL] CVE-2026-43512 mod_cluster: Apache Tomcat: Authentication bypass via digest authentication [fedora-all]
CVE-2026-43512 mod_cluster: Apache Tomcat: Authentication bypass via digest authentication [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43512 tomcat-coyote: Apache Tomcat: Authentication bypass via digest authentication
bugzilla·2026-05-12·CVSS 9.8
CVE-2026-43512 [CRITICAL] CVE-2026-43512 tomcat-coyote: Apache Tomcat: Authentication bypass via digest authentication
CVE-2026-43512 tomcat-coyote: Apache Tomcat: Authentication bypass via digest authentication
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.
Older unsupported versions any also be affect
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
2026-05-12
Published