CVE-2026-43515
published 2026-05-12CVE-2026-43515: Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache…
PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.14%
62.5th percentile
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | >= 10.1.0 < 10.1.55 | 10.1.55 |
| apache | tomcat | >= 11.0.0 < 11.0.22 | 11.0.22 |
| apache | tomcat | 7.0.0 – 7.0.109 | — |
| apache | tomcat | 8.5.0 – 8.5.100 | — |
| apache | tomcat | >= 9.0.0 < 9.0.118 | 9.0.118 |
| apache_software_foundation | apache_tomcat | 10.1.0-M1 – 10.1.54 | — |
| apache_software_foundation | apache_tomcat | 11.0.0-M1 – 11.0.21 | — |
| apache_software_foundation | apache_tomcat | 7.0.0 – 7.0.109 | — |
| apache_software_foundation | apache_tomcat | 8.5.0 – 8.5.100 | — |
| apache_software_foundation | apache_tomcat | 9.0.0.M1 – 9.0.117 | — |
| debian | jss | — | — |
| debian | tomcat10 | — | — |
| devspaces | server-rhel9 | — | — |
| redhat-pki_10 | jss | — | — |
| ubuntu | tomcat10 | — | — |
| ubuntu | tomcat11 | — | — |
| ubuntu | tomcat6 | — | — |
| ubuntu | tomcat7 | — | — |
| ubuntu | tomcat9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →When multiple security constraints define an HTTP method constraint for the same URL extension pattern, Apache Tomcat only applies the first method constraint — subsequent constraints are silently ignored. Detect exploitation attempts by monitoring for requests to URL extensions that should be protected by later-defined security constraints but are being served without authorization enforcement. ↗
- →Focus detection on HTTP requests reaching restricted resources without proper authorization responses (i.e., 200 OK instead of 401/403) on Apache Tomcat versions 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109. ↗
- ·The vulnerability is only exploitable when a web application's deployment descriptor (web.xml) defines multiple <security-constraint> elements that each specify an HTTP method constraint (<http-method> or <http-method-omission>) for the same URL extension pattern. Deployments without overlapping method constraints on the same extension are not affected. ↗
- ·Fixed versions are 11.0.22, 10.1.55, and 9.0.118. Note that fix status for 8.5.x and 7.0.x lines is not mentioned in the fix recommendations, suggesting those branches may not receive patches. ↗
- ·Multiple Red Hat product packages (including JBoss Web Server 5/6, JBoss EAP Expansion Pack, Red Hat Fuse 7, Red Hat SSO 7, Red Hat Process Automation 7, and others) have fix status listed as 'Fix deferred', meaning those environments remain vulnerable until patches are released. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_ubuntu9.8CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2026-06-18·CVSS 7.5
CVE-2026-42498 [HIGH] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: Several security issues were fixed in Tomcat.
It was discovered that Tomcat did not properly limit the size of
WebDAV LOCK and PROPFIND request bodies. A remote attacker could
possibly use this issue to cause Tomcat to consume excessive memory,
resulting in a denial of service. (CVE-2026-41284)
It was discovered that Tomcat incorrectly validated HTTP/2 header
fields. A remote attacker could use this issue to cause Tomcat to
crash or possibly execute arbitrary code. (CVE-2026-41293)
It was discovered that Tomcat did not properly clear HTTP
authentication headers during WebSocket connection upgrades and
redirects. A remote attacker could possibly use this issue to obtain
sensitive credentials. (CVE-2026-42498)
It was discovered that Tomcat incorrec
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2026-06-10·CVSS 7.5
CVE-2026-41284 [HIGH] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: Several security issues were fixed in Tomcat.
It was discovered that Tomcat did not properly limit the size of
WebDAV LOCK and PROPFIND request bodies. A remote attacker could
use this issue to cause Tomcat to consume excessive memory,
resulting in a denial of service. (CVE-2026-41284)
It was discovered that Tomcat incorrectly validated HTTP/2 header
fields. A remote attacker could use this issue to cause Tomcat to
crash or possibly execute arbitrary code. (CVE-2026-41293)
It was discovered that Tomcat did not properly clear HTTP
authentication headers during WebSocket connection upgrades and
redirects. A remote attacker could use this issue to obtain
sensitive credentials. (CVE-2026-42498)
It was discovered that Tomcat incorrectly handled digest
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 9.8
CVE-2026-43513 [CRITICAL] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: Several security issues were fixed in Tomcat.
It was discovered that Tomcat incorrectly handled digest
authentication. A remote attacker could possibly use this issue to
bypass authentication restrictions. (CVE-2026-43512)
It was discovered that Tomcat incorrectly handled case sensitivity
in LockOutRealm. A remote attacker could possibly use this issue to
bypass account lockout protections and obtain sensitive information.
(CVE-2026-43513)
It was discovered that Tomcat incorrectly handled authorization when
multiple method constraints defined the same HTTP method. A remote
attacker could possibly use this issue to bypass authorization
restrictions. (CVE-2026-43515)
Instructions: After a standard system update you need to restart Tomcat to make
al
Red Hat
tomcat-coyote: tomcat: Improper Authorization allows security bypass
vendor_redhat·2026-05-12·CVSS 9.1
CVE-2026-43515 [CRITICAL] CWE-551 tomcat-coyote: tomcat: Improper Authorization allows security bypass
tomcat-coyote: tomcat: Improper Authorization allows security bypass
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
In Apache Tomcat, when multiple security constraints defined an HTTP method constraint for the same extension pattern, only the first method constraint was applied. A remote attacker could exploit this to bypass intended security restrictions for information or actions within the application.
Package: redhat-pki:10/
VulDB
Apache Tomcat up to 11.0.21 improper authorization (Nessus ID 314335)
vuldb·2026-05-19·CVSS 9.1
CVE-2026-43515 [CRITICAL] Apache Tomcat up to 11.0.21 improper authorization (Nessus ID 314335)
A vulnerability categorized as critical has been discovered in Apache Tomcat up to 11.0.21. Affected by this issue is some unknown functionality. Such manipulation leads to improper authorization.
This vulnerability is documented as CVE-2026-43515. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
GHSA-5m62-pw8w-7w9f: Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat
ghsa_unreviewed·2026-05-12
CVE-2026-43515 CWE-285 GHSA-5m62-pw8w-7w9f: Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
GHSA
Apache Tomcat - Security constraints not correctly applied
ghsa·2026-05-12
CVE-2026-43515 [CRITICAL] CWE-285 Apache Tomcat - Security constraints not correctly applied
Apache Tomcat - Security constraints not correctly applied
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.21
Apache Tomcat 10.1.0-M1 to 10.1.54
Apache Tomcat 9.0.0.M1 to 9.0.117
Older, unsupported versions may also be affected
Description:
When multiple security constraints defined an HTTP method constraint for
the same extension pattern, only the first method constraint was applied.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.22 or later
- Upgrade to Apache Tomcat 10.1.55 or later
- Upgrade to Apache Tomcat 9.0.118 or later
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-43515 mod_proxy_cluster: tomcat: Improper Authorization allows security bypass [fedora-all]
bugzilla·2026-06-16·CVSS 9.1
CVE-2026-43515 [CRITICAL] CVE-2026-43515 mod_proxy_cluster: tomcat: Improper Authorization allows security bypass [fedora-all]
CVE-2026-43515 mod_proxy_cluster: tomcat: Improper Authorization allows security bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43515 jss: tomcat: Improper Authorization allows security bypass [fedora-all]
bugzilla·2026-06-16·CVSS 9.1
CVE-2026-43515 [CRITICAL] CVE-2026-43515 jss: tomcat: Improper Authorization allows security bypass [fedora-all]
CVE-2026-43515 jss: tomcat: Improper Authorization allows security bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43515 mod_cluster: tomcat: Improper Authorization allows security bypass [fedora-all]
bugzilla·2026-06-16·CVSS 9.1
CVE-2026-43515 [CRITICAL] CVE-2026-43515 mod_cluster: tomcat: Improper Authorization allows security bypass [fedora-all]
CVE-2026-43515 mod_cluster: tomcat: Improper Authorization allows security bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43515 tomcat-coyote: tomcat: Improper Authorization allows security bypass
bugzilla·2026-05-12·CVSS 9.1
CVE-2026-43515 [CRITICAL] CVE-2026-43515 tomcat-coyote: tomcat: Improper Authorization allows security bypass
CVE-2026-43515 tomcat-coyote: tomcat: Improper Authorization allows security bypass
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
2026-05-12
Published