Apache Tomcat Flaws Allow Auth Bypass, Security Constraint Evasion
The Apache Software Foundation has disclosed two security vulnerabilities in Apache Tomcat that can lead to authentication bypass and improper enforcement of security constraints. These flaws impact a wide range of enterprise deployments that rely on Tomcat as a Java servlet container for production workloads.
Tracked as CVE-2026-55957 (Important severity) and CVE-2026-55956 (Moderate severity), the vulnerabilities affect multiple supported versions of Tomcat. If left unpatched, they could expose sensitive applications to unauthorized access, particularly where security constraints are the primary access control mechanism.
Both flaws were publicly announced on June 29, 2026, via official Apache Tomcat security advisories. Given Tomcat’s widespread footprint across enterprise Java environments, these issues carry significant operational risk.
Apache Tomcat Flaws
CVE-2026-55957 is the more severe of the two. It stems from an authentication bypass that occurs when JNDIRealm is used alongside a GSSAPI-authenticated bind.
The root cause lies in improper handling of security constraints tied to the default servlet. When constraints are defined, any specified HTTP methods or method omissions are ignored during enforcement.
This allows attackers to bypass authentication controls by leveraging unvalidated HTTP methods or exploiting inconsistencies in constraint enforcement.
In environments where JNDIRealm handles centralized authentication such as LDAP-backed identity systems, this flaw could permit unauthorized access without valid credentials, undermining the integrity of enterprise identity controls.
The vulnerability affects:
- Apache Tomcat 11.0.0-M1 through 11.0.4
- Apache Tomcat 10.1.0-M1 through 10.1.36
- Apache Tomcat 9.0.0-M1 through 9.0.100
Older, unsupported versions may also be affected, raising the risk for legacy deployments still in production. Security researcher Ilan Toyter is credited with identifying the issue.
CVE-2026-55956, rated Moderate severity, also originates from improper enforcement of security constraints in the default servlet. Like CVE-2026-55957, it causes configured HTTP method restrictions to be ignored during constraint enforcement.
As a result, access control policies designed to restrict specific HTTP methods GET, POST, PUT, or DELETE may fail to function as intended.
Attackers could exploit this by issuing requests using methods that should have been blocked. For instance, an endpoint configured to reject POST requests might still process them, potentially enabling unauthorized data modification.
This flaw affects a broader version range:
- Apache Tomcat 11.0.0-M1 through 11.0.22
- Apache Tomcat 10.1.0-M1 through 10.1.55
- Apache Tomcat 9.0.0-M1 through 9.0.118
Researcher j0hndo is credited with the discovery.
Patches and Mitigation
Apache has released fixed versions for both vulnerabilities. Administrators should upgrade as follows:
- CVE-2026-55957: Upgrade to Tomcat 11.0.5+, 10.1.37+, or 9.0.101+
- CVE-2026-55956: Upgrade to Tomcat 11.0.23+, 10.1.56+, or 9.0.119+
Organizations running exposed Tomcat instances, especially those integrated with enterprise authentication systems like LDAP, should prioritize patching immediately and review access control configurations for gaps.
Security teams are also advised to audit logs for unusual HTTP method usage and verify that security constraints behave as expected post-remediation.
Given the ease of exploitation and the critical role Tomcat plays in Java-based infrastructure, delayed patching significantly raises the risk of unauthorized access and data compromise.
No Comment! Be the first one.