{"id":13994,"date":"2026-07-01T10:03:40","date_gmt":"2026-07-01T10:03:40","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/01\/multiple-apache-tomcat-vulnerabilities-allow-attackers-to-bypass-authentication\/"},"modified":"2026-07-01T10:03:40","modified_gmt":"2026-07-01T10:03:40","slug":"multiple-apache-tomcat-vulnerabilities-allow-attackers-to-bypass-authentication","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/01\/multiple-apache-tomcat-vulnerabilities-allow-attackers-to-bypass-authentication\/","title":{"rendered":"Multiple Apache Tomcat Vulnerabilities Allow Attackers to Bypass Authentication"},"content":{"rendered":"<p>    Multiple Apache Tomcat Vulnerabilities Allow Attackers to Bypass Authentication<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">The Apache Software Foundation has disclosed two vulnerabilities affecting <a href=\"https:\/\/cybersecuritynews.com\/apache-tomcat-vulnerabilities-encryptinterceptor\/\" target=\"_blank\" rel=\"noreferrer noopener\">Apache Tomcat<\/a> that could allow attackers to bypass authentication and security constraints protecting web applications.<\/p>\n<p class=\"wp-block-paragraph\">The flaws, tracked as CVE-2026-55957 and CVE-2026-55956, impact multiple major versions of the widely deployed servlet container, prompting urgent upgrade recommendations across enterprise environments.<\/p>\n<h2 id=\"h-cve-2026-55957-jndirealm-authentication-bypass\" class=\"wp-block-heading\"><strong>CVE-2026-55957: JNDIRealm Authentication Bypass<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Rated as Important severity, <a href=\"https:\/\/lists.apache.org\/thread\/7fk339o5jvd4mcgsf0chbrn4o525ccjh\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">this vulnerability affects<\/a> Tomcat\u2019s JNDIRealm component when configured with GSSAPI authenticated bind. The flaw stems from improperly enforced security constraints on the default servlet, where configured HTTP methods or method omissions within access rules were silently ignored.<\/p>\n<p class=\"wp-block-paragraph\">This behavior effectively allowed attackers to bypass intended access restrictions and reach protected resources without proper authentication.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Affected versions:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>Apache Tomcat 11.0.0-M1 through 11.0.4<\/li>\n<li>Apache Tomcat 10.1.0-M1 through 10.1.36<\/li>\n<li>Apache Tomcat 9.0.0.M1 through 9.0.100<\/li>\n<li>Older, unsupported branches may also be vulnerable<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Upgrade to Tomcat 11.0.5, 10.1.37, or 9.0.101 or later. The issue was responsibly disclosed by security researcher Ilan Toyter.<\/p>\n<h2 id=\"h-cve-2026-55956-default-servlet-constraint-bypass\" class=\"wp-block-heading\"><strong>CVE-2026-55956: Default Servlet Constraint Bypass<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The second flaw, rated Moderate, shares the same root cause: security constraints defined for the default servlet failed to properly enforce configured HTTP methods or method omissions. While less severe <a href=\"https:\/\/lists.apache.org\/thread\/9y0gjcjjmoq2xl91tz7botgxn6mpw6ls\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">than CVE-2026-55957<\/a>, this issue affects a broader range of Tomcat releases, indicating the defect persisted across several release cycles before detection.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Affected versions:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>Apache Tomcat 11.0.0-M1 through 11.0.22<\/li>\n<li>Apache Tomcat 10.1.0-M1 through 10.1.55<\/li>\n<li>Apache Tomcat 9.0.0.M1 through 9.0.118<\/li>\n<li>Older, unsupported branches may also be vulnerable<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\"><strong>Fix:<\/strong> Upgrade to Tomcat 11.0.23, 10.1.56, or 9.0.119 or later.<\/p>\n<p class=\"wp-block-paragraph\">Both vulnerabilities center on Tomcat\u2019s handling of <code>&lt;security-constraint&gt;<\/code> definitions applied to the default servlet. When administrators scope access control to specific HTTP methods (e.g., restricting <code>PUT<\/code> or <code>DELETE<\/code> while allowing <code>GET<\/code>), Tomcat\u2019s request-matching logic failed to honor those method-level restrictions consistently.<\/p>\n<p class=\"wp-block-paragraph\">In practice, this meant that endpoints assumed to be protected by method-based rules remained accessible via unrestricted verbs, creating a path for unauthorized access to sensitive resources or administrative functions.<\/p>\n<p class=\"wp-block-paragraph\">Organizations running affected Tomcat instances should prioritize patching, especially where the default servlet handles sensitive content or where JNDIRealm with GSSAPI bind is used for <a href=\"https:\/\/cybersecuritynews.com\/apache-cxf-ldap-injection-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">LDAP-backed authentication<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">Since the Apache Software Foundation lists no workarounds other than upgrading, applying the patched releases is the only reliable mitigation. Administrators should also audit existing <code>web.xml<\/code> security constraints post-upgrade to confirm intended access controls now function as designed.<\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/multiple-apache-tomcat-vulnerabilities\/\">Multiple Apache Tomcat Vulnerabilities Allow Attackers to Bypass Authentication<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/multiple-apache-tomcat-vulnerabilities\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Multiple Apache Tomcat Vulnerabilities Allow Attackers to Bypass Authentication The Apache Software Foundation has disclosed two vulnerabilities affecting Apache Tomcat that could allow attackers to bypass authentication and security constraints protecting web applications. The flaws, tracked as CVE-2026-55957 and CVE-2026-55956, impact multiple major versions of the widely deployed servlet container, prompting urgent upgrade recommendations across [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-13994","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13994"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13994"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13994\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13994"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13994"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}