VYPR
patchPublished Jul 1, 2026· 1 source

Multiple Apache Tomcat Vulnerabilities Allow Authentication Bypass

Two critical vulnerabilities in Apache Tomcat, CVE-2026-55957 and CVE-2026-55956, allow attackers to bypass authentication and access protected resources.

The Apache Software Foundation has disclosed two critical vulnerabilities affecting its widely used Tomcat servlet container, enabling attackers to bypass authentication and security constraints. The flaws, tracked as CVE-2026-55957 and CVE-2026-55956, impact multiple major versions of Tomcat, prompting urgent recommendations for users to upgrade to patched releases.

CVE-2026-55957, rated as 'Important' severity, specifically targets Tomcat's JNDIRealm component when configured with GSSAPI authenticated bind. The vulnerability arises from improperly enforced security constraints on the default servlet. This allowed attackers to bypass intended access restrictions by exploiting the fact that configured HTTP methods or method omissions within access rules were silently ignored, granting them access to protected resources without proper authentication.

This particular vulnerability affects Apache Tomcat versions 11.0.0-M1 through 11.0.4, 10.1.0-M1 through 10.1.36, and 9.0.0.M1 through 9.0.100. Older, unsupported branches may also be vulnerable. The Apache Software Foundation recommends upgrading to Tomcat 11.0.5, 10.1.37, or 9.0.101, or later versions, to mitigate this risk. The issue was responsibly disclosed by security researcher Ilan Toyter.

The second flaw, CVE-2026-55956, is rated as 'Moderate' severity and shares the same root cause: security constraints defined for the default servlet failed to properly enforce configured HTTP methods or method omissions. While less severe than CVE-2026-55957, this issue affects a broader range of Tomcat releases, indicating the defect persisted across several release cycles before its discovery.

CVE-2026-55956 impacts Apache Tomcat versions 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, and 9.0.0.M1 through 9.0.118. Similar to the first vulnerability, older, unsupported branches may also be affected. The recommended fix is to upgrade to Tomcat 11.0.23, 10.1.56, or 9.0.119, or later.

Both vulnerabilities stem from Tomcat's handling of <security-constraint> definitions applied to the default servlet. When administrators attempted to scope access control to specific HTTP methods (e.g., allowing GET but restricting PUT or DELETE), Tomcat's request-matching logic did not consistently honor these method-level restrictions. This meant that endpoints intended to be protected by method-based rules could still be accessed using unrestricted HTTP verbs, creating a pathway for unauthorized access to sensitive resources or administrative functions.

Organizations running affected Tomcat instances are strongly advised to prioritize patching, especially if the default servlet handles sensitive content or if JNDIRealm with GSSAPI bind is used for LDAP-backed authentication. The Apache Software Foundation has not provided any workarounds other than upgrading, making the application of patched releases the only reliable mitigation strategy. Administrators should also review and audit their existing web.xml security constraints after upgrading to ensure that intended access controls are functioning as designed.

Synthesized by Vypr AI