cbcvebase.
CVE-2026-43512
published 2026-05-12

CVE-2026-43512: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.23%
65.3th percentile
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Affected

17 ranges
VendorProductVersion rangeFixed in
apachetomcat>= 10.1.0 < 10.1.5510.1.55
apachetomcat>= 11.0.0 < 11.0.2211.0.22
apachetomcat7.0.0 – 7.0.109
apachetomcat8.5.0 – 8.5.100
apachetomcat>= 9.0.0 < 9.0.1189.0.118
apache_software_foundationapache_tomcat10.1.0-M1 – 10.1.54
apache_software_foundationapache_tomcat11.0.0-M1 – 11.0.21
apache_software_foundationapache_tomcat7.0.0 – 7.0.109
apache_software_foundationapache_tomcat8.5.0 – 8.5.100
apache_software_foundationapache_tomcat9.0.0.M1 – 9.0.117
debianjss
devspacesserver-rhel9
redhat-pki_10jss
ubuntutomcat10
ubuntutomcat6
ubuntutomcat7
ubuntutomcat9

Detection & IOCsextracted from sources · hover to see the quote

  • Any authentication attempt using the literal password 'null' against a Tomcat DIGEST-authenticated endpoint should be treated as a potential exploitation attempt of CVE-2026-43512.
  • Focus detection on Apache Tomcat instances explicitly configured to use DIGEST authentication — these are the only affected configurations. Out-of-the-box/default Tomcat deployments are not vulnerable.
  • Monitor Tomcat access logs for successful authentications by usernames that do not exist in the configured Realm, particularly against DIGEST-protected resources, as the bypass authenticates users unknown to the Realm.
  • ·Only Apache Tomcat instances explicitly configured to use DIGEST authentication are vulnerable. Default/out-of-the-box configurations are not affected.
  • ·Even if exploited, the bypassed (unknown) user is not mapped to any realm roles, so standard application authorization constraints still apply and limit the attacker's access.
  • ·Affected version ranges: 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and versions before 7.0.0. Older unsupported versions may also be affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.