Critical severity9.8NVD Advisory· Published May 12, 2026· Updated May 15, 2026
CVE-2026-43512
CVE-2026-43512
Description
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat.embed:tomcat-embed-coreMaven | < 9.0.118 | 9.0.118 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.1.0-M1, < 10.1.55 | 10.1.55 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 11.0.0-M1, < 11.0.22 | 11.0.22 |
org.apache.tomcat:tomcatMaven | < 9.0.118 | 9.0.118 |
org.apache.tomcat:tomcatMaven | >= 10.1.0-M1, < 10.1.55 | 10.1.55 |
org.apache.tomcat:tomcatMaven | >= 11.0.0-M1, < 11.0.22 | 11.0.22 |
org.apache.tomcat:tomcat-catalinaMaven | < 9.0.118 | 9.0.118 |
org.apache.tomcat:tomcat-catalinaMaven | >= 10.1.0-M1, < 10.1.55 | 10.1.55 |
org.apache.tomcat:tomcat-catalinaMaven | >= 11.0.0-M1, < 11.0.22 | 11.0.22 |
Affected products
40- osv-coords38 versionspkg:apk/chainguard/camunda-8.8pkg:apk/chainguard/camunda-8.9pkg:apk/chainguard/camunda-zeebe-8.7pkg:apk/chainguard/camunda-zeebe-8.8pkg:apk/chainguard/camunda-zeebe-8.9pkg:apk/chainguard/kayenta-2025.4pkg:apk/chainguard/kayenta-2026.0pkg:apk/chainguard/kayenta-2026.1pkg:apk/chainguard/kayenta-fips-2025.4pkg:apk/chainguard/kayenta-fips-2026.0pkg:apk/chainguard/kayenta-fips-2026.1pkg:apk/chainguard/nacospkg:apk/chainguard/ontoppkg:apk/chainguard/ontop-fipspkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:bitnami/tomcatpkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat11&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 8.8.24-r2+ 37 more
- (no CPE)range: < 8.8.24-r2
- (no CPE)range: < 8.9.5-r2
- (no CPE)range: < 8.7.29-r1
- (no CPE)range: < 8.8.24-r1
- (no CPE)range: < 8.9.5-r2
- (no CPE)range: < 2025.4.3-r8
- (no CPE)range: < 2026.0.2-r8
- (no CPE)range: < 2026.1.0-r1
- (no CPE)range: < 2025.4.3-r9
- (no CPE)range: < 2026.0.2-r9
- (no CPE)range: < 2026.1.0-r1
- (no CPE)range: < 3.2.1-r3
- (no CPE)range: < 5.5.0-r9
- (no CPE)range: < 5.5.0-r5
- (no CPE)range: < 4.3.1.2-r0
- (no CPE)range: < 4.3.1.2-r0
- (no CPE)range: < 4.3.1.2-r0
- (no CPE)range: < 4.3.1.2-r0
- (no CPE)range: >= 10.1.0, < 10.1.55
- (no CPE)range: < 10.1.55-1.1
- (no CPE)range: < 11.0.22-1.1
- (no CPE)range: < 9.0.118-1.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-160000.1.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-150200.5.67.1
- (no CPE)range: < 10.1.55-160000.1.1
- (no CPE)range: < 11.0.22-150600.13.21.1
- (no CPE)range: < 11.0.22-150600.13.21.1
- (no CPE)range: < 11.0.22-160000.1.1
- (no CPE)range: < 11.0.22-150600.13.21.1
- (no CPE)range: < 11.0.22-160000.1.1
- (no CPE)range: < 9.0.118-160000.1.1
- (no CPE)range: < 9.0.118-160000.1.1
Patches
Vulnerability mechanics
References
10- www.openwall.com/lists/oss-security/2026/05/12/8nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-h6fc-48rj-7qqhghsaADVISORY
- lists.apache.org/thread/7x09x7o12solvclslw3sz0288xc8wx73nvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-43512ghsaADVISORY
- github.com/apache/tomcat/commit/3d4d3fae07a6cd9c2eb193c5491001740ec64448ghsaWEB
- github.com/apache/tomcat/commit/6565a6cb6499e56fe2f34457cec99f9d1c4f39e9ghsaWEB
- github.com/apache/tomcat/commit/a99c355e8199adbfd67c9a1fffbd85b810b196cdghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-11.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
News mentions
2- ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and MoreThe Hacker News · Jun 22, 2026
- Atlassian, Splunk Patch Critical VulnerabilitiesSecurityWeek · Jun 18, 2026