CVE-2026-55276

Apache Tomcat: Logged effective web.xml is incomplete

Assigner: apache
Reserved: 16.06.2026 Published: 29.06.2026 Updated: 30.06.2026

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Tomcat
Versions	Default: unaffected affected from 11.0.0-M1 to 11.0.22 (incl.) affected from 10.1.0-M1 to 10.1.55 (incl.) affected from 9.0.0.M1 to 9.0.118 (incl.) affected from 8.5.0 to 8.5.100 (incl.) unaffected from 0 to 8.0.0 (excl.)

Vendor

Apache Software Foundation

Product

Apache Tomcat

Versions

Default: unaffected

affected from 11.0.0-M1 to 11.0.22 (incl.)
affected from 10.1.0-M1 to 10.1.55 (incl.)
affected from 9.0.0.M1 to 9.0.118 (incl.)
affected from 8.5.0 to 8.5.100 (incl.)
unaffected from 0 to 8.0.0 (excl.)

References

Problem Types

CWE-670 Always-Incorrect Control Flow Implementation CWE

CVE-2026-55276 PUBLISHED

Apache Tomcat: Logged effective web.xml is incomplete

Product Status

References

Problem Types