CVE-2026-55955

Authorization Bypass
Affects
Apache Tomcat
in
Apache Tomcat
No items found.
Versions
>=7.0.100 <= 7.0.109, >=8.5.38 <=8.5.100, >=9.0.0.M1 <9.0.119, >=10.1.0-M1 <10.1.56, >=11.0.0-M1 <11.0.23
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

Overview

Apache Tomcat is an open-source web server and servlet container, maintained by the Apache Software Foundation, that implements the Jakarta Servlet, Jakarta Pages (JSP), Jakarta Expression Language, and Jakarta WebSocket specifications and provides a pure-Java HTTP environment for running Java web applications.

An authorization bypass vulnerability (CVE-2026-55955) has been identified in the Apache Tomcat cluster channel interceptor EncryptInterceptor, which allows an attacker who can inject traffic into the cluster channel to replay a previously captured, validly encrypted cluster message. Because EncryptInterceptor tracked no nonce, sequence number, or timestamp for messages it had already processed, a replayed ciphertext decrypted successfully and was forwarded as if it were a fresh message.

Per OWASP: Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. Authentication Bypass by Capture-replay is a vulnerability that allows malicious users to intercept network traffic and bypass authentication by replaying it to achieve the same effect as the original message.

This issue affects multiple versions of Apache Tomcat that ship the cluster tribes EncryptInterceptor in the org.apache.tomcat:tomcat-tribes module.

Details

Module Info

  • Product: Apache Tomcat
  • Affected packages: tomcat-tribes
  • Affected versions: >=7.0.100 <= 7.0.109, >=8.5.38 <=8.5.100, >=9.0.0.M1 <9.0.119, >=10.1.0-M1 <10.1.56, >=11.0.0-M1 <11.0.23
  • GitHub repository: https://github.com/apache/tomcat
  • Package manager: Maven
  • Fixed in:

Vulnerability Info

This Low-severity vulnerability is found in the org.apache.tomcat:tomcat-tribes package in multiple versions of Apache Tomcat. Tomcat clustering can wrap the inter-node tribes group channel with org.apache.catalina.tribes.group.interceptors.EncryptInterceptor, which encrypts each cluster message (AES, CBC by default, with optional GCM) so that membership and session-replication traffic between nodes is confidential. The interceptor uses a fresh random initialization vector per message purely as a cryptographic nonce; it provides semantic security but no protection against an attacker resending an intact, previously valid ciphertext.

On the receive side, the interceptor decrypted each incoming message and immediately forwarded it up the channel with no check for whether that message had already been seen:

public void messageReceived(ChannelMessage msg) {
    try {
        byte[] data = msg.getMessage().getBytes();
        data = encryptionManager.decrypt(data);

        XByteBuffer xbb = msg.getMessage();
        // Completely replace the message with the decrypted one
        xbb.clear();
        xbb.append(data, 0, data.length);

        super.messageReceived(msg);
    } catch (GeneralSecurityException gse) {
        log.error(sm.getString("encryptInterceptor.decrypt.failed"), gse);
    }
}

Because there is no nonce, sequence, or timestamp tracking of already-processed messages, an attacker who can observe and re-inject traffic on the cluster channel can capture an encrypted cluster message and replay it. The node receiving the replay decrypts it successfully and forwards it as though it were a fresh message, for example re-applying a stale session-replication update. Exploitation is constrained: it requires that clustering is enabled with EncryptInterceptor configured on the tribes group channel, and that the attacker is already able to inject traffic onto the cluster network. EncryptInterceptor protects the confidentiality of cluster traffic but does not claim to defend a cluster that runs over an untrusted network, which is consistent with the Low severity assigned to this issue. It is not active in a default standalone Tomcat, and there is no key compromise or disclosure of message contents.

Mitigation

Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Apache Tomcat.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Note that the fix is a breaking change to the EncryptInterceptor wire format: the patched interceptor prepends an 8-byte trusted timestamp inside the encrypted payload so that the receiver can detect replays. Patched and unpatched nodes cannot interoperate over the cluster channel, so every node in a cluster must be upgraded to a fixed build at the same time.

Credits

  • Apache Tomcat security team.
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
ID
CVE-2026-55955
PROJECT Affected
Apache Tomcat
Versions Affected
>=7.0.100 <= 7.0.109, >=8.5.38 <=8.5.100, >=9.0.0.M1 <9.0.119, >=10.1.0-M1 <10.1.56, >=11.0.0-M1 <11.0.23
NES Versions Affected
Published date
July 1, 2026
≈ Fix date
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Apache Tomcat
Rss feed icon
Subscribe via RSS
or

By submitting the form I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.