Multiple Apache Tomcat Vulnerabilities Allow Attackers to Bypass Authentication
The Apache Software Foundation has disclosed two vulnerabilities affecting Apache Tomcat that could allow attackers to bypass authentication and security constraints protecting web applications.
The flaws, tracked as CVE-2026-55957 and CVE-2026-55956, impact multiple major versions of the widely deployed servlet container, prompting urgent upgrade recommendations across enterprise environments.
CVE-2026-55957: JNDIRealm Authentication Bypass
Rated as Important severity, this vulnerability affects Tomcat’s JNDIRealm component when configured with GSSAPI authenticated bind. The flaw stems from improperly enforced security constraints on the default servlet, where configured HTTP methods or method omissions within access rules were silently ignored.
This behavior effectively allowed attackers to bypass intended access restrictions and reach protected resources without proper authentication.
Affected versions:
- Apache Tomcat 11.0.0-M1 through 11.0.4
- Apache Tomcat 10.1.0-M1 through 10.1.36
- Apache Tomcat 9.0.0.M1 through 9.0.100
- Older, unsupported branches may also be vulnerable
Upgrade to Tomcat 11.0.5, 10.1.37, or 9.0.101 or later. The issue was responsibly disclosed by security researcher Ilan Toyter.
CVE-2026-55956: Default Servlet Constraint Bypass
The second flaw, rated Moderate, shares the same root cause: security constraints defined for the default servlet failed to properly enforce configured HTTP methods or method omissions. While less severe than CVE-2026-55957, this issue affects a broader range of Tomcat releases, indicating the defect persisted across several release cycles before detection.
Affected versions:
- Apache Tomcat 11.0.0-M1 through 11.0.22
- Apache Tomcat 10.1.0-M1 through 10.1.55
- Apache Tomcat 9.0.0.M1 through 9.0.118
- Older, unsupported branches may also be vulnerable
Fix: Upgrade to Tomcat 11.0.23, 10.1.56, or 9.0.119 or later.
Both vulnerabilities center on Tomcat’s handling of <security-constraint> definitions applied to the default servlet. When administrators scope access control to specific HTTP methods (e.g., restricting PUT or DELETE while allowing GET), Tomcat’s request-matching logic failed to honor those method-level restrictions consistently.
In practice, this meant that endpoints assumed to be protected by method-based rules remained accessible via unrestricted verbs, creating a path for unauthorized access to sensitive resources or administrative functions.
Organizations running affected Tomcat instances should prioritize patching, especially where the default servlet handles sensitive content or where JNDIRealm with GSSAPI bind is used for LDAP-backed authentication.
Since the Apache Software Foundation lists no workarounds other than upgrading, applying the patched releases is the only reliable mitigation. Administrators should also audit existing web.xml security constraints post-upgrade to confirm intended access controls now function as designed.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Multiple Apache Tomcat Vulnerabilities Allow Attackers to Bypass Authentication appeared first on Cyber Security News.
Guru Baran
Go to cyber-security-news