cbcvebase.
CVE-2026-55276
published 2026-06-29

CVE-2026-55276: Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when…

PriorityP261critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.17%
7.1th percentile
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.

Affected

9 ranges
VendorProductVersion rangeFixed in
apachetomcat
apache_software_foundationapache_tomcat10.1.0-M1 – 10.1.55
apache_software_foundationapache_tomcat11.0.0-M1 – 11.0.22
apache_software_foundationapache_tomcat8.5.0 – 8.5.100
apache_software_foundationapache_tomcat9.0.0.M1 – 9.0.118
debiantomcat10
debiantomcat11
debiantomcat9
pki-deps_10.6pki-servlet-engine

Detection & IOCsextracted from sources · hover to see the quote

  • This is a logging-only issue affecting the effective web.xml debug log output in Apache Tomcat. Detection should focus on identifying vulnerable Tomcat versions (11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.0.M1 through 9.0.118, 8.5.0 through 8.5.100) where the effective web.xml log may omit special roles and empty authorization constraints, potentially misleading administrators.
  • When reviewing Tomcat debug logs for security constraint configuration, administrators on affected versions should not trust the effective web.xml log output as a complete representation of authorization constraints — omissions of special roles or empty constraints may indicate the bug is present rather than a genuine absence of those constraints.
  • ·This vulnerability has no runtime security impact. It only affects the accuracy of debug log output. Administrators should not rely solely on the effective web.xml debug log to verify security constraint configuration on affected versions.
  • ·Red Hat has deferred fixes across multiple RHEL packages (tomcat, tomcat6, tomcat9, tomcat10, tomcat11, pki-servlet-engine, jws5-tomcat). Environments relying on these packages should track upstream fix availability independently.
  • ·Other versions of Apache Tomcat that have reached end of support may also be affected by this flaw and will not receive patches.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.