CVE-2026-55276
published 2026-06-29CVE-2026-55276: Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when…
PriorityP261critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.17%
7.1th percentile
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache_software_foundation | apache_tomcat | 10.1.0-M1 – 10.1.55 | — |
| apache_software_foundation | apache_tomcat | 11.0.0-M1 – 11.0.22 | — |
| apache_software_foundation | apache_tomcat | 8.5.0 – 8.5.100 | — |
| apache_software_foundation | apache_tomcat | 9.0.0.M1 – 9.0.118 | — |
| debian | tomcat10 | — | — |
| debian | tomcat11 | — | — |
| debian | tomcat9 | — | — |
| pki-deps_10.6 | pki-servlet-engine | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →This is a logging-only issue affecting the effective web.xml debug log output in Apache Tomcat. Detection should focus on identifying vulnerable Tomcat versions (11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.0.M1 through 9.0.118, 8.5.0 through 8.5.100) where the effective web.xml log may omit special roles and empty authorization constraints, potentially misleading administrators. ↗
- →When reviewing Tomcat debug logs for security constraint configuration, administrators on affected versions should not trust the effective web.xml log output as a complete representation of authorization constraints — omissions of special roles or empty constraints may indicate the bug is present rather than a genuine absence of those constraints. ↗
- ·This vulnerability has no runtime security impact. It only affects the accuracy of debug log output. Administrators should not rely solely on the effective web.xml debug log to verify security constraint configuration on affected versions. ↗
- ·Red Hat has deferred fixes across multiple RHEL packages (tomcat, tomcat6, tomcat9, tomcat10, tomcat11, pki-servlet-engine, jws5-tomcat). Environments relying on these packages should track upstream fix availability independently. ↗
- ·Other versions of Apache Tomcat that have reached end of support may also be affected by this flaw and will not receive patches. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Apache Tomcat up to 11.0.22 web.xml control flow (EUVD-2026-40230)
vuldb·2026-06-30
CVE-2026-55276 [CRITICAL] Apache Tomcat up to 11.0.22 web.xml control flow (EUVD-2026-40230)
A vulnerability identified as critical has been detected in Apache Tomcat up to 7.x/8.5.100/9.0.118/10.1.55/11.0.22. Affected by this issue is some unknown functionality of the file web.xml. The manipulation leads to incorrect control flow.
This vulnerability is referenced as CVE-2026-55276. Remote exploitation of the attack is possible. No exploit is available.
You should upgrade the affected component.
GHSA
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.
ghsa_unreviewed·2026-06-29
CVE-2026-55276 [CRITICAL] CWE-670 Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.
Red Hat
tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow
vendor_redhat·2026-06-29·CVSS 2.3
CVE-2026-55276 [LOW] CWE-778 tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow
tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow
A flaw was found in Apache Tomcat. Due to an always-incorrect control flow implementation, special roles and empty authorization constraints were not accurately included when the effective web.xml configuration was logged. This could lead to a security oversight where administrators might misinterpret the actual authorization constraints, potentially impacting the security posture of the application.
Statement: A flaw was found in Apache Tomcat. When the effective web.xml logging feature is enabled for debugging, special roles and empty authorization constraints may be omitted from the logged output. This is a logging-only issue with no runtime security impact — it only affects the accuracy of debug log output
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-55276 tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow
bugzilla·2026-06-29
CVE-2026-55276 [LOW] CVE-2026-55276 tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow
CVE-2026-55276 tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.
Bugzilla
CVE-2026-55276 tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow [fedora-all]
bugzilla·2026-06-29
CVE-2026-55276 CVE-2026-55276 tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow [fedora-all]
CVE-2026-55276 tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 1
2026-06-29
Published