cbcvebase.
CVE-2026-43515
published 2026-05-12

CVE-2026-43515: Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache…

PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.14%
62.5th percentile
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Affected

19 ranges
VendorProductVersion rangeFixed in
apachetomcat>= 10.1.0 < 10.1.5510.1.55
apachetomcat>= 11.0.0 < 11.0.2211.0.22
apachetomcat7.0.0 – 7.0.109
apachetomcat8.5.0 – 8.5.100
apachetomcat>= 9.0.0 < 9.0.1189.0.118
apache_software_foundationapache_tomcat10.1.0-M1 – 10.1.54
apache_software_foundationapache_tomcat11.0.0-M1 – 11.0.21
apache_software_foundationapache_tomcat7.0.0 – 7.0.109
apache_software_foundationapache_tomcat8.5.0 – 8.5.100
apache_software_foundationapache_tomcat9.0.0.M1 – 9.0.117
debianjss
debiantomcat10
devspacesserver-rhel9
redhat-pki_10jss
ubuntutomcat10
ubuntutomcat11
ubuntutomcat6
ubuntutomcat7
ubuntutomcat9

Detection & IOCsextracted from sources · hover to see the quote

  • When multiple security constraints define an HTTP method constraint for the same URL extension pattern, Apache Tomcat only applies the first method constraint — subsequent constraints are silently ignored. Detect exploitation attempts by monitoring for requests to URL extensions that should be protected by later-defined security constraints but are being served without authorization enforcement.
  • Focus detection on HTTP requests reaching restricted resources without proper authorization responses (i.e., 200 OK instead of 401/403) on Apache Tomcat versions 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109.
  • ·The vulnerability is only exploitable when a web application's deployment descriptor (web.xml) defines multiple <security-constraint> elements that each specify an HTTP method constraint (<http-method> or <http-method-omission>) for the same URL extension pattern. Deployments without overlapping method constraints on the same extension are not affected.
  • ·Fixed versions are 11.0.22, 10.1.55, and 9.0.118. Note that fix status for 8.5.x and 7.0.x lines is not mentioned in the fix recommendations, suggesting those branches may not receive patches.
  • ·Multiple Red Hat product packages (including JBoss Web Server 5/6, JBoss EAP Expansion Pack, Red Hat Fuse 7, Red Hat SSO 7, Red Hat Process Automation 7, and others) have fix status listed as 'Fix deferred', meaning those environments remain vulnerable until patches are released.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_ubuntu9.8CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.