CVE-2026-55956

Apache Tomcat: Security constraints for default servlet ignored method

Assigner: apache
Reserved: 17.06.2026 Published: 29.06.2026 Updated: 30.06.2026

Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Tomcat
Versions	Default: unaffected affected from 11.0.0-M1 to 11.0.22 (incl.) affected from 10.1.0-M1 to 10.1.55 (incl.) affected from 9.0.0.M1 to 9.0.118 (incl.) affected from 8.5.0 to 8.5.100 (incl.) affected from 7.0.0 to 7.0.109 (incl.) unknown from 0 to 7.0.0 (excl.)

Vendor

Apache Software Foundation

Product

Apache Tomcat

Versions

Default: unaffected

affected from 11.0.0-M1 to 11.0.22 (incl.)
affected from 10.1.0-M1 to 10.1.55 (incl.)
affected from 9.0.0.M1 to 9.0.118 (incl.)
affected from 8.5.0 to 8.5.100 (incl.)
affected from 7.0.0 to 7.0.109 (incl.)
unknown from 0 to 7.0.0 (excl.)

Credits

j0hndo (dohyun4466@gmail.com) finder

References

Problem Types

CWE-285 Improper Authorization CWE

CVE-2026-55956 PUBLISHED

Apache Tomcat: Security constraints for default servlet ignored method

Product Status

Credits

References

Problem Types