Vulnerability Directory | CVE-2026-43513

Overview

Apache Tomcat is an open-source implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations, and Jakarta Authentication specifications, providing a pure Java HTTP web server environment for running Java code. It is one of the most widely used Java application servers.

A low-severity vulnerability (CVE-2026-43513) has been identified in the LockOutRealm component of Apache Tomcat. LockOutRealm wraps another Realm and tracks failed authentication attempts so that, after a configurable number of failures, further attempts against the same user are rejected without consulting the underlying Realm. The failure tracker keyed user names as case-sensitive strings, so when the wrapped Realm performed case-insensitive user-name matching (for example, a database or LDAP Realm), an attacker could rotate the casing of a target user name on each attempt and never trip the lockout threshold, defeating the brute-force protection the operator had configured.

Per OWASP: Authorization Bypass occurs when an application fails to properly enforce an access-control or rate-limiting decision, allowing an attacker to perform actions or reach states that the configured policy was intended to prevent. In this case, the operator-configured brute-force lockout policy is effectively bypassed by case rotation of the user name supplied to the authentication endpoint.

This issue affects versions 8.5.0 through 8.5.100, 9.0.0.M1 through 9.0.117, 10.1.0-M1 through 10.1.54, and 11.0.0-M1 through 11.0.21 of Apache Tomcat.

‍

Details

Module Info

Product: Apache Tomcat
Affected packages: tomcat-catalina, tomcat-embed-core
Affected versions: >=8.5.0 <=8.5.100, >=9.0.0.M1 <=9.0.117, >=10.1.0-M1 <=10.1.54, >=11.0.0-M1 <=11.0.21
GitHub repository: https://github.com/apache/tomcat
Published packages:
- https://repo1.maven.org/maven2/org/apache/tomcat/tomcat-catalina/
- https://central.sonatype.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/
Package manager: Maven
Fixed in:
NES for Apache Tomcat
Apache Tomcat 11.0.22, 10.1.55, 9.0.118 (OSS)

Vulnerability Info

The vulnerability exists in LockOutRealm.java, which maintains a failedUsers map keyed by user name. Before the fix, isLocked, registerAuthSuccess, and registerAuthFailure all used the supplied username argument as the map key verbatim, with no normalization:

public boolean isLocked(String username) {
    LockRecord lockRecord = null;
    synchronized (this) {
        lockRecord = failedUsers.get(username);
    }
    // ...
}

private synchronized void registerAuthSuccess(String username) {
    failedUsers.remove(username);
}

private void registerAuthFailure(String username) {
    LockRecord lockRecord = null;
    synchronized (this) {
        if (!failedUsers.containsKey(username)) {
            lockRecord = new LockRecord();
            failedUsers.put(username, lockRecord);
        } else {
            // ...
        }
    }
    lockRecord.registerFailure();
}

Because Java String keys are case-sensitive, the user-name strings user, User, and USER mapped to three distinct LockRecord entries, each with its own failure counter. When LockOutRealm was paired with a Realm that performed case-insensitive user-name matching, those three entries all referred to the same underlying account, so an attacker could cycle through casing variants to keep every per-key counter below the failureCount threshold while still authenticating against the same real account.

The fix introduces a new caseSensitive attribute (default false) on LockOutRealm. When case-insensitive mode is in effect, the user name is canonicalized with toLowerCase(Locale.ROOT) before any read or write of failedUsers:

private boolean caseSensitive = false;

public boolean isLocked(String username) {
    if (!getCaseSensitive()) {
        username = username.toLowerCase(Locale.ROOT);
    }
    LockRecord lockRecord;
    synchronized (this) {
        lockRecord = failedUsers.get(username);
    }
    // ...
}

The same normalization is applied in registerAuthSuccess and registerAuthFailure, so all failure-tracking operations agree on a single canonical key per account. Operators whose backing Realm is genuinely case-sensitive can opt back into the legacy behavior by setting caseSensitive="true" on the <Realm> element.

‍

Mitigation

Only recent versions of Apache Tomcat are community-supported. Older versions (8.5.x and earlier) will not receive any updates to address this issue. NES for Tomcat includes an update to 8.5.x to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations: