CVE-2026-55956
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Apache Tomcat is an open-source web server and servlet container, maintained by the Apache Software Foundation, that implements the Jakarta Servlet, Jakarta Pages (JSP), Jakarta Expression Language, and Jakarta WebSocket specifications and provides a pure-Java HTTP environment for running Java web applications.
An authorization bypass vulnerability (CVE-2026-55956) has been identified in Apache Tomcat, which allows attackers to evade per-method authorization rules on resources served by the default servlet. When a security constraint is mapped to the default servlet path, Tomcat matched the constraint to every request regardless of the request's HTTP method, ignoring any per-method or method-omission restriction declared on the constraint, so a rule intended to protect only some methods was applied to all of them.
Per OWASP: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
This issue affects multiple versions of Apache Tomcat below 11.0.23.
Details
Module Info
- Product: Apache Tomcat
- Affected packages: tomcat-catalina, tomcat-embed-core
- Affected versions: >= 7.0.0 <=7.0.109, >=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.119, >=10.1.0-M1 <10.1.56, >=11.0.0-M1 <11.0.23
- GitHub repository: https://github.com/apache/tomcat
- Published packages:
- Package manager: Maven
- Fixed in:
- NES for Apache Tomcat 8.5.100-tomcat-8.5.107
- Apache Tomcat 11.0.23, 10.1.56, 9.0.119 (OSS)
Vulnerability Info
This Medium-severity vulnerability is found in the org.apache.tomcat:tomcat-catalina package in Apache Tomcat. The realm's findSecurityConstraints method in org.apache.catalina.realm.RealmBase decides which security constraints apply to an incoming request. For most matches the realm checks that the request's HTTP method is actually covered by the constraint's web-resource collection before applying it, but the final pass that handles resources served by the default servlet (the / url-pattern) matched on the path alone:
boolean matched = false;
for (String pattern : patterns) {
if (pattern.equals("/")) {
matched = true;
break;
}
}
Because this pass never consulted the collection's configured methods, a constraint that declared <http-method> or <http-method-omission> on a <web-resource-collection> mapped to the default servlet was treated as covering every method. An administrator who, for example, restricted only write methods on default-servlet-served static resources would have that per-method scope collapsed, so the constraint applied to all methods and the intended authorization rule was no longer enforced as written. The other three matching passes in the same method (exact, prefix, and extension matches) already gated on the request method, so only the default-servlet branch was affected.
Mitigation
Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Apache Tomcat.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- j0hndo (finder)