CVE-2026-55956

Authorization Bypass
Affects
Apache Tomcat
in
Apache Tomcat
No items found.
Versions
>= 7.0.0 <=7.0.109, >=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.119, >=10.1.0-M1 <10.1.56, >=11.0.0-M1 <11.0.23
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

Overview

Apache Tomcat is an open-source web server and servlet container, maintained by the Apache Software Foundation, that implements the Jakarta Servlet, Jakarta Pages (JSP), Jakarta Expression Language, and Jakarta WebSocket specifications and provides a pure-Java HTTP environment for running Java web applications.

An authorization bypass vulnerability (CVE-2026-55956) has been identified in Apache Tomcat, which allows attackers to evade per-method authorization rules on resources served by the default servlet. When a security constraint is mapped to the default servlet path, Tomcat matched the constraint to every request regardless of the request's HTTP method, ignoring any per-method or method-omission restriction declared on the constraint, so a rule intended to protect only some methods was applied to all of them.

Per OWASP: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

This issue affects multiple versions of Apache Tomcat below 11.0.23.

Details

Module Info

  • Product: Apache Tomcat
  • Affected packages: tomcat-catalina, tomcat-embed-core
  • Affected versions: >= 7.0.0 <=7.0.109, >=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.119, >=10.1.0-M1 <10.1.56, >=11.0.0-M1 <11.0.23
  • GitHub repository: https://github.com/apache/tomcat
  • Package manager: Maven
  • Fixed in:

Vulnerability Info

This Medium-severity vulnerability is found in the org.apache.tomcat:tomcat-catalina package in Apache Tomcat. The realm's findSecurityConstraints method in org.apache.catalina.realm.RealmBase decides which security constraints apply to an incoming request. For most matches the realm checks that the request's HTTP method is actually covered by the constraint's web-resource collection before applying it, but the final pass that handles resources served by the default servlet (the / url-pattern) matched on the path alone:

boolean matched = false;
for (String pattern : patterns) {
    if (pattern.equals("/")) {
        matched = true;
        break;
    }
}

Because this pass never consulted the collection's configured methods, a constraint that declared <http-method> or <http-method-omission> on a <web-resource-collection> mapped to the default servlet was treated as covering every method. An administrator who, for example, restricted only write methods on default-servlet-served static resources would have that per-method scope collapsed, so the constraint applied to all methods and the intended authorization rule was no longer enforced as written. The other three matching passes in the same method (exact, prefix, and extension matches) already gated on the request method, so only the default-servlet branch was affected.

Mitigation

Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Apache Tomcat.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • j0hndo (finder)
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-55956
PROJECT Affected
Apache Tomcat
Versions Affected
>= 7.0.0 <=7.0.109, >=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.119, >=10.1.0-M1 <10.1.56, >=11.0.0-M1 <11.0.23
NES Versions Affected
Published date
July 1, 2026
≈ Fix date
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Apache Tomcat
Rss feed icon
Subscribe via RSS
or

By submitting the form I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.