CVE-2026-42498 PUBLISHED

Apache Tomcat: WebSocket authentication header exposure

Assigner: apache
Reserved: 27.04.2026 Published: 12.05.2026 Updated: 12.05.2026

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Tomcat
Versions	Default: unaffected affected from 11.0.0-M1 to 11.0.21 (incl.) affected from 10.1.0-M1 to 10.1.54 (incl.) affected from 9.0.2 to 9.0.117 (incl.) affected from 8.5.24 to 8.5.100 (incl.) affected from 7.0.83 to 7.0.109 (incl.)

Credits

lokerxx finder

References

https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb

Problem Types

CWE-200 Exposure of HTTP Authentication Header to unexpected hosts CWE