CVE-2026-53404

Apache Tomcat: Bad ornext processing in RewriteValve

Assigner: apache
Reserved: 09.06.2026 Published: 29.06.2026 Updated: 30.06.2026

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Tomcat
Versions	Default: unaffected affected from 11.0.0-M1 to 11.0.22 (incl.) affected from 10.1.0-M1 to 10.1.55 (incl.) affected from 9.0.0.M1 to 9.0.118 (incl.) affected from 8.5.0 to 8.5.100 (incl.) unaffected from 0 to 8.0.0 (excl.)

Vendor

Apache Software Foundation

Product

Apache Tomcat

Versions

Default: unaffected

affected from 11.0.0-M1 to 11.0.22 (incl.)
affected from 10.1.0-M1 to 10.1.55 (incl.)
affected from 9.0.0.M1 to 9.0.118 (incl.)
affected from 8.5.0 to 8.5.100 (incl.)
unaffected from 0 to 8.0.0 (excl.)

References

Problem Types

CWE-670 Always-Incorrect Control Flow Implementation CWE

CVE-2026-53404 PUBLISHED

Apache Tomcat: Bad ornext processing in RewriteValve

Product Status

References

Problem Types