TL;DR
The Apache Tomcat project disclosed seven vulnerabilities on 29 June 2026. The most serious Apache Tomcat vulnerabilities let an attacker bypass authentication. The flaws span Tomcat 7 through 11. No active exploitation has been confirmed.
Why It Matters
Tomcat runs a large share of Java web applications worldwide. So any authentication flaw carries broad risk. The headline bug, CVE-2026-55957, rates “important.” It affects setups that use a JNDIRealm with GSSAPI bind authentication. In that case, an attacker could log in without the correct password. Many teams run Tomcat behind a reverse proxy. Still, an internal user or a misconfigured edge can reach the realm directly.
How the Attacks Work
Authentication bypass (CVE-2026-55957)
The JNDIRealm skipped a required step during the GSSAPI authenticated bind. As a result, a user could authenticate without valid credentials.
Authorization and other flaws
CVE-2026-55956 (moderate) let the default servlet ignore method constraints in security rules. So restricted methods could slip through. CVE-2026-55955 (low) allowed a replay attack against the cluster EncryptInterceptor. The remaining issues cover an incomplete web.xml log, an ignored CRL on FFM connectors, a RewriteValve logic error, and an XSS bug in a sample application.
Affected Versions
The auth bypass affects Tomcat 11.0.0-M1 to 11.0.4, 10.1.0-M1 to 10.1.36, 9.0.0.M1 to 9.0.100, 8.5.0 to 8.5.100, and 7.0.0 to 7.0.109. The other six flaws reach later builds, up to 11.0.22, 10.1.55, and 9.0.118.
Patch and Mitigation
Apache fixed the auth bypass in 11.0.5, 10.1.37, and 9.0.101. The remaining flaws need 11.0.23, 10.1.56, or 9.0.119. So upgrade to the newest patched build to cover every issue. Apache reported no public proof-of-concept for these flaws. Even so, the bypass is trivial once a vulnerable realm is active. You can pull binaries from the official Tomcat download archive. These Apache Tomcat vulnerabilities deserve prompt patching, because the auth bypass needs no password.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.