Critical severity9.1NVD Advisory· Published May 12, 2026· Updated May 15, 2026

CVE-2026-43515

Description

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Affected products

Apache/Tomcatllm-fuzzy
Range: >=11.0.0-M1 <=11.0.21, >=10.1.0-M1 <=10.1.54, >=9.0.0.M1 <=9.0.117, >=8.5.0 <=8.5.100, >=7.0.0 <=7.0.109

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/05/12/11nvdMailing ListThird Party Advisory
lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bbnvdMailing ListVendor Advisory

News mentions

⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
The Hacker News · May 11, 2026
Weaver E-cology critical bug exploited in attacks since March
BleepingComputer · May 4, 2026
Siemens SIMATIC
CISA Alerts

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000