Medium severity5.3NVD Advisory· Published Apr 9, 2026· Updated Apr 14, 2026

CVE-2026-32990

Description

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.

This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper Input Validation in Apache Tomcat branches 11.0.x, 10.1.x, and 9.0.x due to an incomplete fix for CVE-2025-66614, allowing potential data manipulation.

CVE-2026-32990 describes an improper input validation vulnerability in Apache Tomcat, stemming from an incomplete fix of a previous flaw, CVE-2025-66614. This issue affects specific versions across the 11.0.x, 10.1.x, and 9.0.x branches, and can lead to unexpected behavior due to insufficient validation of certain inputs [1][4].

Root

Cause and Attack Vector The vulnerability originates from the failure to fully address input validation gaps in the prior patch, leaving a surface that may be exploitable without authentication in some configurations. An attacker with network access to a vulnerable Tomcat instance could craft requests with malformed data to manipulate internal processing [2][3].

Impact

The lack of proper input validation could allow an attacker to alter the intended logic of the application, leading to data corruption or bypass of security controls. While not resulting in direct code execution, the flaw can undermine the integrity of data handled by Tomcat [4].

Mitigation

Users should upgrade to fixed versions: 11.0.20, 10.1.53, or 9.0.116 to fully remediate the issue. No workarounds are documented, applying the vendor-supplied patch is the recommended action [1][2][3]. The vulnerability is rated Medium with a CVSS v3 base score of 5.3.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tomcat:tomcat-coyoteMaven	>= 9.0.113, < 9.0.116	9.0.116
org.apache.tomcat:tomcat-coyoteMaven	>= 10.1.50, < 10.1.53	10.1.53
org.apache.tomcat:tomcat-coyoteMaven	>= 11.0.15, < 11.0.20	11.0.20
org.apache.tomcat:tomcatMaven	>= 9.0.113, < 9.0.116	9.0.116
org.apache.tomcat:tomcatMaven	>= 10.1.50, < 10.1.53	10.1.53
org.apache.tomcat:tomcatMaven	>= 11.0.15, < 11.0.20	11.0.20
org.apache.tomcat.embed:tomcat-embed-coreMaven	>= 9.0.113, < 9.0.116	9.0.116
org.apache.tomcat.embed:tomcat-embed-coreMaven	>= 10.1.50, < 10.1.53	10.1.53
org.apache.tomcat.embed:tomcat-embed-coreMaven	>= 11.0.15, < 11.0.20	11.0.20

Affected products

Apache/Tomcat2 versions
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*range: >=9.0.113,<9.0.116
- (no CPE)range: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115

Patches

95f7778248ca

Fix case sensitive handling of the protocol host name

https://github.com/apache/tomcatremmMar 16, 2026via ghsa

commit

2 files changed · +5 −1

java/org/apache/tomcat/util/net/AbstractEndpoint.java+2 −1 modified

@@ -548,7 +548,8 @@ protected SSLHostConfig getSSLHostConfig(String sniHostName) {
     public boolean checkSni(String sniHostName, String protocolHostName) {
         return (!strictSni || !isSSLEnabled()
                 || (sniHostName != null && sniHostName.equalsIgnoreCase(protocolHostName))
-                || getSSLHostConfig(sniHostName) == getSSLHostConfig(protocolHostName));
+                || getSSLHostConfig(sniHostName) == getSSLHostConfig(
+                        protocolHostName != null ? protocolHostName.toLowerCase(Locale.ENGLISH) : null));
     }

webapps/docs/changelog.xml+3 −0 modified

@@ -225,6 +225,9 @@
         Report handshake issues as <code>SSLException</code> in the FFM
         code, rather than <code>IllegalStateException</code>. (remm)
       </fix>
+      <fix>
+        Fix case sensitive handling of the protocol host name. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

021d1f833e38

Fix case sensitive handling of the protocol host name

https://github.com/apache/tomcatremmMar 16, 2026via ghsa

commit

2 files changed · +5 −1

java/org/apache/tomcat/util/net/AbstractEndpoint.java+2 −1 modified

@@ -743,7 +743,8 @@ protected SSLHostConfig getSSLHostConfig(String sniHostName) {
     public boolean checkSni(String sniHostName, String protocolHostName) {
         return (!strictSni || !isSSLEnabled()
                 || (sniHostName != null && sniHostName.equalsIgnoreCase(protocolHostName))
-                || getSSLHostConfig(sniHostName) == getSSLHostConfig(protocolHostName));
+                || getSSLHostConfig(sniHostName) == getSSLHostConfig(
+                        protocolHostName != null ? protocolHostName.toLowerCase(Locale.ENGLISH) : null));
     }

webapps/docs/changelog.xml+3 −0 modified

@@ -223,6 +223,9 @@
         Report handshake issues as <code>SSLException</code> in the FFM
         code, rather than <code>IllegalStateException</code>. (remm)
       </fix>
+      <fix>
+        Fix case sensitive handling of the protocol host name. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

4d0615a5c718

Fix case sensitive handling of the protocol host name

https://github.com/apache/tomcatremmMar 16, 2026via ghsa

commit

2 files changed · +5 −1

java/org/apache/tomcat/util/net/AbstractEndpoint.java+2 −1 modified

@@ -531,7 +531,8 @@ protected SSLHostConfig getSSLHostConfig(String sniHostName) {
     public boolean checkSni(String sniHostName, String protocolHostName) {
         return (!strictSni || !isSSLEnabled()
                 || (sniHostName != null && sniHostName.equalsIgnoreCase(protocolHostName))
-                || getSSLHostConfig(sniHostName) == getSSLHostConfig(protocolHostName));
+                || getSSLHostConfig(sniHostName) == getSSLHostConfig(
+                        protocolHostName != null ? protocolHostName.toLowerCase(Locale.ENGLISH) : null));
     }

webapps/docs/changelog.xml+3 −0 modified

@@ -221,6 +221,9 @@
         Report handshake issues as <code>SSLException</code> in the FFM
         code, rather than <code>IllegalStateException</code>. (remm)
       </fix>
+      <fix>
+        Fix case sensitive handling of the protocol host name. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8mc5-53m5-3qj2ghsaADVISORY
lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7nvdMailing ListVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-32990ghsaADVISORY
github.com/apache/tomcat/commit/021d1f833e38b683a44688f7b28f1f27e8e37c36ghsaWEB
github.com/apache/tomcat/commit/4d0615a5c718c260d6d4e0b944a050f09a490c02ghsaWEB
github.com/apache/tomcat/commit/95f7778248cac46d03e6af04de9c72a598be3a53ghsaWEB
tomcat.apache.org/security-10.htmlghsaWEB
tomcat.apache.org/security-11.htmlghsaWEB
tomcat.apache.org/security-9.htmlghsaWEB
www.herodevs.com/vulnerability-directory/cve-2026-32990ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000