High severity7.3NVD Advisory· Published May 12, 2026· Updated May 14, 2026
CVE-2026-42498
CVE-2026-42498
Description
Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
Affected products
2>=11.0.0-M1,<=11.0.21, >=10.1.0-M1,<=10.1.54, >=9.0.2,<=9.0.117, >=8.5.24,<=8.5.100, >=7.0.83,<=7.0.109+ 1 more
- (no CPE)range: >=11.0.0-M1,<=11.0.21, >=10.1.0-M1,<=10.1.54, >=9.0.2,<=9.0.117, >=8.5.24,<=8.5.100, >=7.0.83,<=7.0.109
- (no CPE)range: 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.2 through 9.0.117, 8.5.24 through 8.5.100, 7.0.83 through 7.0.109
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.openwall.com/lists/oss-security/2026/05/12/14nvdMailing ListThird Party Advisory
- lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdbnvdMailing ListVendor Advisory
News mentions
3- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- Weaver E-cology critical bug exploited in attacks since MarchBleepingComputer · May 4, 2026
- Siemens SIMATICCISA Alerts