CVE-2026-55955 PUBLISHED

Apache Tomcat: EncryptInterceptor not protected against replay attacks

Assigner: apache
Reserved: 17.06.2026 Published: 29.06.2026 Updated: 30.06.2026

Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Tomcat
Versions	Default: unaffected affected from 11.0.0-M1 to 11.0.22 (incl.) affected from 10.1.0-M1 to 10.1.55 (incl.) affected from 9.0.13 to 9.0.118 (incl.) affected from 8.5.38 to 8.5.100 (incl.) affected from 7.0.100 to 7.0.109 (incl.)

References

https://lists.apache.org/thread/g4p5sf45p3f9r011pwqs9r54yd64s106

Problem Types

CWE-287 Improper Authentication CWE