Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Teams Blocks Uninvited Bots From Meetings
July 1, 2026
Anthropic Claude AI Reportedly Uses Hidden Code to Detect Chinese Users
July 1, 2026
US Eases Export Restrictions on Claude Fable 5 and Mythos 5 AI Models
July 1, 2026
Home/CyberSecurity News/Critical Apache Tomcat flaws let attackers bypass authentication
CyberSecurity News

Critical Apache Tomcat flaws let attackers bypass authentication

Key Takeaways The Apache Software Foundation has revealed two critical vulnerabilities in Apache Tomcat. The flaws, CVE-2026-55957 and CVE-2026-55956, could allow attackers to bypass authentication...

Emy Elsamnoudy
Emy Elsamnoudy
July 1, 2026 3 Min Read
2 0

Key Takeaways

  • The Apache Software Foundation has revealed two critical vulnerabilities in Apache Tomcat.
  • The flaws, CVE-2026-55957 and CVE-2026-55956, could allow attackers to bypass authentication and security constraints.
  • Multiple major versions of Apache Tomcat are affected, including 11.x, 10.1.x, and 9.0.x branches.
  • Patches are available, and immediate upgrades are strongly recommended for all affected instances.

The Apache Software Foundation has issued a critical security alert regarding two vulnerabilities discovered in Apache Tomcat, its widely-used open-source web server and servlet container. These flaws, identified as CVE-2026-55957 and CVE-2026-55956, could enable unauthorized access by allowing attackers to circumvent authentication mechanisms and security restrictions designed to protect web applications.

Table Of Content

  • Key Takeaways
  • Detailed Vulnerability Analysis
  • CVE-2026-55957: JNDIRealm Authentication Bypass
  • CVE-2026-55956: Default Servlet Constraint Bypass
  • What You Should Do

The vulnerabilities affect numerous current and older versions of Tomcat, necessitating urgent upgrades across enterprise environments to prevent potential compromise.

Detailed Vulnerability Analysis

CVE-2026-55957: JNDIRealm Authentication Bypass

Designated with an “Important” severity rating, this vulnerability affects the JNDIRealm component of Tomcat, specifically when it is configured to use GSSAPI authenticated bind. The core issue lies in the default servlet’s failure to properly enforce security constraints. Specifically, HTTP methods or method omissions specified within access rules were silently disregarded.

This oversight created a loophole, allowing malicious actors to bypass established access restrictions and gain unauthorized entry to protected resources without proper authentication. Security researcher Ilan Toyter is credited with the responsible disclosure of this flaw.

Affected versions:

  • Apache Tomcat 11.0.0-M1 through 11.0.4
  • Apache Tomcat 10.1.0-M1 through 10.1.36
  • Apache Tomcat 9.0.0.M1 through 9.0.100
  • Older, unsupported branches may also be vulnerable

To mitigate this risk, users should upgrade to Tomcat 11.0.5, 10.1.37, 9.0.101, or newer versions.

CVE-2026-55956: Default Servlet Constraint Bypass

The second vulnerability, rated “Moderate” in severity, stems from the same fundamental flaw: the default servlet’s inability to correctly enforce security constraints related to specified HTTP methods or method omissions. While deemed less critical than CVE-2026-55957, this issue impacts an even broader spectrum of Tomcat releases, indicating a persistent defect across multiple development cycles before its identification.

Affected versions:

  • Apache Tomcat 11.0.0-M1 through 11.0.22
  • Apache Tomcat 10.1.0-M1 through 10.1.55
  • Apache Tomcat 9.0.0.M1 through 9.0.118
  • Older, unsupported branches may also be vulnerable

Fix: Users should upgrade to Tomcat 11.0.23, 10.1.56, 9.0.119, or later versions.

Both vulnerabilities originate from how Tomcat processes <security-constraint> definitions applied to its default servlet. When administrators configure access controls to restrict specific HTTP methods (e.g., prohibiting PUT or DELETE requests while permitting GET), Tomcat’s internal request-matching logic failed to consistently honor these method-level restrictions. This critical oversight meant that web endpoints presumed to be secured by method-based rules remained accessible through unrestricted HTTP verbs, creating an avenue for unauthorized access to sensitive data or administrative functions.

Organizations operating vulnerable Tomcat instances must prioritize applying the available patches. This is particularly crucial for systems where the default servlet handles sensitive information or where JNDIRealm with GSSAPI bind is employed for LDAP-backed authentication.

What You Should Do

  • Upgrade Immediately: Apply the latest patched versions of Apache Tomcat: 11.0.5 or later, 10.1.37 or later, and 9.0.101 or later for CVE-2026-55957. For CVE-2026-55956, upgrade to 11.0.23 or later, 10.1.56 or later, and 9.0.119 or later. These upgrades are the only official mitigation provided by the Apache Software Foundation.
  • Audit Security Constraints: After upgrading, conduct a thorough audit of your web.xml security constraints to confirm that intended access controls are now functioning as designed and that method-based restrictions are properly enforced.
  • Review JNDIRealm Configurations: If your environment utilizes JNDIRealm with GSSAPI authenticated bind, pay particular attention to its security posture post-upgrade.
  • Monitor for Anomalous Activity: Implement robust logging and monitoring for your Tomcat instances to detect any unusual access attempts or resource manipulation that could indicate exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEPatchSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Chrome Update Patches 382 Vulnerabilities, Including 15 Critical Flaws

Next Post

US Eases Export Restrictions on Claude Fable 5 and Mythos 5 AI Models

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Cisco Unified CM and SME Flaw Lets Attackers Launch SSRF Attacks
July 1, 2026
TONResolver Malware Abuses TON Smart Contracts for C2 Switching
July 1, 2026
Critical WhatsApp Web DLL Sideloading Flaw Lets Attackers Hijack Sessions for CEO Fraud
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us