Low severityNVD Advisory· Published Feb 17, 2026· Updated Mar 11, 2026

Apache Tomcat: Security constraint bypass with HTTP/0.9

CVE-2026-24733

Description

Improper Input Validation vulnerability in Apache Tomcat.

Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.

Older, EOL versions are also affected.

Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An improper input validation in Apache Tomcat allows bypassing security constraints that deny GET requests by sending a HEAD request via HTTP/0.9.

Vulnerability

Overview

CVE-2026-24733 is an improper input validation vulnerability in Apache Tomcat. The root cause is that Tomcat did not enforce the requirement that HTTP/0.9 requests must use only the GET method, as specified by the HTTP protocol. This oversight allows an attacker to send a HEAD request using HTTP/0.9, even though the HTTP/0.9 protocol does not support HEAD requests [1][2][3][4].

Attack

Vector

The vulnerability is exploitable in environments where a security constraint has been configured to allow HEAD requests to a particular URI but deny GET requests. By sending a malformed (specification-invalid) HEAD request using HTTP/0.9, an attacker can bypass the intended access control and obtain a response that would otherwise be blocked for a GET request. The attack requires no special privileges and can be executed over the network [1][4].

Impact

Successful exploitation allows an attacker to circumvent security policies that restrict access to specific URIs via GET requests. This could lead to unauthorized disclosure of information or other actions that the security constraint was designed to prevent, depending on the application's use of the HTTP method to control access [2][4].

Mitigation

The vulnerability affects Apache Tomcat versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.49, and 9.0.0.M1 through 9.0.112, as well as older, end-of-life (EOL) versions [4]. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later, or 9.0.113 or later, which include the fix. For EOL versions, no patch is available, and upgrade to a supported line is advised [1][2][3].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tomcat.embed:tomcat-embed-coreMaven	>= 11.0.0-M1, < 11.0.15	11.0.15
org.apache.tomcat.embed:tomcat-embed-coreMaven	>= 10.1.0-M1, < 10.1.50	10.1.50
org.apache.tomcat.embed:tomcat-embed-coreMaven	< 9.0.113	9.0.113
org.apache.tomcat:tomcatMaven	>= 11.0.0-M1, < 11.0.15	11.0.15
org.apache.tomcat:tomcatMaven	>= 10.1.0-M1, < 10.1.50	10.1.50
org.apache.tomcat:tomcatMaven	< 9.0.113	9.0.113
org.apache.tomcat:tomcat-catalinaMaven	>= 11.0.0-M1, < 11.0.15	11.0.15
org.apache.tomcat:tomcat-catalinaMaven	>= 10.1.0-M1, < 10.1.50	10.1.50
org.apache.tomcat:tomcat-catalinaMaven	< 9.0.113	9.0.113

Affected products

Apache/Tomcatllm-fuzzy
Range: >= 11.0.0-M1 <= 11.0.14, >= 10.1.0-M1 <= 10.1.49, >= 9.0.0.M1 <= 9.0.112
Apache Software Foundation/Apache Tomcatv5
Range: 11.0.0-M1

Patches

2e2fa23f2635

HTTP/0.9 only allows GET

https://github.com/apache/tomcatremmNov 26, 2025via ghsa

commit

3 files changed · +23 −0

java/org/apache/coyote/http11/Http11Processor.java+5 −0 modified

@@ -608,6 +608,11 @@ private void prepareRequestProtocol() {
             http09 = true;
             http11 = false;
             keepAlive = false;
+            if (!Method.GET.equals(request.getMethod())) {
+                // Send 400, GET is the only allowed method for HTTP/0.9
+                response.setStatus(400);
+                setErrorState(ErrorState.CLOSE_CLEAN, null);
+            }
         } else {
             // Unsupported protocol
             http09 = false;

test/org/apache/coyote/http11/TestHttp11InputBuffer.java+15 −0 modified

@@ -657,6 +657,21 @@ public void testInvalidHttp09() {
     }
 
 
+    @Test
+    public void testInvalidHttp09Method() {
+
+        String[] request = new String[1];
+        request[0] = "POST /test" + CRLF;
+
+        InvalidClient client = new InvalidClient(request);
+
+        client.doRequest();
+        // The response in that case is HTTP/0.9 so only the body
+        Assert.assertTrue(client.getResponseLine(), client.getResponseLine().contains("400"));
+        Assert.assertTrue(client.isResponseBodyOK());
+    }
+
+
     @Test
     public void testInvalidEndOfRequestLine01() {

webapps/docs/changelog.xml+3 −0 modified

@@ -135,6 +135,9 @@
         creating a TLS connector if the <code>KeyStore</code> instance has been
         set directly on the connector. (markt)
       </fix>
+      <fix>
+        HTTP/0.9 only allows GET as the HTTP method. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

711b465cf226

HTTP/0.9 only allows GET

https://github.com/apache/tomcatremmNov 26, 2025via ghsa

commit

3 files changed · +23 −0

java/org/apache/coyote/http11/Http11Processor.java+5 −0 modified

@@ -609,6 +609,11 @@ private void prepareRequestProtocol() {
             http09 = true;
             http11 = false;
             keepAlive = false;
+            if (!Method.GET.equals(request.getMethod())) {
+                // Send 400, GET is the only allowed method for HTTP/0.9
+                response.setStatus(400);
+                setErrorState(ErrorState.CLOSE_CLEAN, null);
+            }
         } else {
             // Unsupported protocol
             http09 = false;

test/org/apache/coyote/http11/TestHttp11InputBuffer.java+15 −0 modified

@@ -657,6 +657,21 @@ public void testInvalidHttp09() {
     }
 
 
+    @Test
+    public void testInvalidHttp09Method() {
+
+        String[] request = new String[1];
+        request[0] = "POST /test" + CRLF;
+
+        InvalidClient client = new InvalidClient(request);
+
+        client.doRequest();
+        // The response in that case is HTTP/0.9 so only the body
+        Assert.assertTrue(client.getResponseLine(), client.getResponseLine().contains("400"));
+        Assert.assertTrue(client.isResponseBodyOK());
+    }
+
+
     @Test
     public void testInvalidEndOfRequestLine01() {

webapps/docs/changelog.xml+3 −0 modified

@@ -135,6 +135,9 @@
         creating a TLS connector if the <code>KeyStore</code> instance has been
         set directly on the connector. (markt)
       </fix>
+      <fix>
+        HTTP/0.9 only allows GET as the HTTP method. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

6c73d74ff281

HTTP/0.9 only allows GET

https://github.com/apache/tomcatremmNov 26, 2025via ghsa

commit

3 files changed · +23 −0

java/org/apache/coyote/http11/Http11Processor.java+5 −0 modified

@@ -607,6 +607,11 @@ private void prepareRequestProtocol() {
             http09 = true;
             http11 = false;
             keepAlive = false;
+            if (!Method.GET.equals(request.getMethod())) {
+                // Send 400, GET is the only allowed method for HTTP/0.9
+                response.setStatus(400);
+                setErrorState(ErrorState.CLOSE_CLEAN, null);
+            }
         } else {
             // Unsupported protocol
             http09 = false;

test/org/apache/coyote/http11/TestHttp11InputBuffer.java+15 −0 modified

@@ -578,6 +578,21 @@ public void testInvalidHttp09() {
     }
 
 
+    @Test
+    public void testInvalidHttp09Method() {
+
+        String[] request = new String[1];
+        request[0] = "POST /test" + CRLF;
+
+        InvalidClient client = new InvalidClient(request);
+
+        client.doRequest();
+        // The response in that case is HTTP/0.9 so only the body
+        Assert.assertTrue(client.getResponseLine(), client.getResponseLine().contains("400"));
+        Assert.assertTrue(client.isResponseBodyOK());
+    }
+
+
     @Test
     public void testInvalidEndOfRequestLine01() {

webapps/docs/changelog.xml+3 −0 modified

@@ -135,6 +135,9 @@
         creating a TLS connector if the <code>KeyStore</code> instance has been
         set directly on the connector. (markt)
       </fix>
+      <fix>
+        HTTP/0.9 only allows GET as the HTTP method. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qq5r-98hh-rxc9ghsaADVISORY
lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90fghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-24733ghsaADVISORY
github.com/apache/tomcat/commit/2e2fa23f2635bbb819759576a2f2f5e64ecf7c5fghsaWEB
github.com/apache/tomcat/commit/6c73d74ff281260d74c836370ff6b82f1da8048bghsaWEB
github.com/apache/tomcat/commit/711b465cf22684a1acf0cb43501cdbbce9b6c5f4ghsaWEB
tomcat.apache.org/security-10.htmlghsaWEB
tomcat.apache.org/security-11.htmlghsaWEB
tomcat.apache.org/security-9.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000