By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2006-1546

Authorization Bypass
Affects
Apache Struts
<1.2.9
in
Struts
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

A validation bypass vulnerability (CVE-2006-1546) has been identified in Apache Struts, which allows attackers to bypass input validation.

Input validation bypass occurs when an attacker is able to submit malicious or unexpected input that the application fails to properly validate or sanitize. This often happens due to weak, incomplete, or improperly implemented validation checks on user-supplied data such as form fields, URLs, cookies, or API requests. When input validation is bypassed, it can lead to serious security vulnerabilities including SQL injection, cross-site scripting (XSS), command injection, or privilege escalation. The consequences can range from data breaches, unauthorized access, and system compromise to reputational damage and legal liabilities for the organization. 

This issue affects all versions of struts less than 1.2.9.

Details

Module Info

Vulnerability Info

Reported as bug #38374, CVE-2006-1546 is a high-severity vulnerability that attackers can exploit to bypass input validation. By spoofing org.apache.struts.taglib.html.Constants.CANCEL request parameter on actions that do not check for cancellation, validation can be bypassed and potentially harmful data processed.

This vulnerability was patched in struts 1.2.9, which introduced a breaking change. Application developers are now required to explicitly set cancellable on actions that support cancellation. This can be done by using <set-property> in struts action configuration. The default is false, and if not properly configured, will throw an InvalidCancelException. For more information, refer to this guide.

Steps To Reproduce

On a Struts application running a version earlier than 1.2.9, with an action that has validation but does not check isCancelled, send a request that would normally fail validation, adding the parameter org.apache.struts.taglib.html.CANCEL=true to the request. As a result, validation will be bypassed, and the request will succeed.

On a Struts application that has been patched, sending the same request will result in an InvalidCancelException.

Credit

  • Paul Benedict reported and provided the security patch

Mitigation

Users of the affected components should apply one of the following mitigations:

  • Upgrade to patched version 1.2.9 or greater.

Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2014-0094
CVE-2016-3081
CVE-2017-5638
CVE-2018-11776
CVE-2012-1007
CVE-2015-0899
CVE-2016-1181
CVE-2016-1182
CVE-2014-0114
CVE-2024-53677
CVE-2006-1546
CVE-2006-1547
CVE-2006-1548
CVE-2008-2025
CVE-2023-34396
CVE-2023-49735
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2006-1546
PROJECT Affected
Apache Struts
Versions Affected
<1.2.9
Published date
May 12, 2025
≈ Fix date
March 23, 2006
Fixed in
NES for Apache Struts
Severity
High
Category
Authorization Bypass
Sign up for the latest vulnerability alerts fixed in
NES for Apache Struts
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.