Bypassing the Bouncer: Apache Tomcat Patches SNI & Legacy Protocol Flaws

The Apache Software Foundation has rolled out a trio of security updates for its ubiquitous Apache Tomcat web server environment, addressing vulnerabilities that range from legacy protocol confusion to clever certificate authentication bypasses. The patches cover multiple release branches, including Tomcat 11, 10, and 9, resolving one Low and two Moderate severity flaws.

Administrators managing Tomcat and Tomcat Native deployments are advised to review their configurations, especially if they heavily rely on virtual host mapping or client certificate authentication.

The first vulnerability, tracked as CVE-2026-24733, highlights the dangers of supporting legacy protocols in modern web environments. Rated with a Low severity, this flaw involves HTTP/0.9 and its interaction with Tomcat’s security constraints.

According to the official advisory, “Tomcat did not limit HTTP/0.9 requests to the GET method”.

This oversight created a loophole in access control policies. If a server administrator configured a security constraint that explicitly allowed HEAD requests to a specific URI but denied GET requests, an attacker could manipulate the legacy protocol to slip through the net. The advisory notes that a user “could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9”.

The most complex flaw in the batch is CVE-2025-66614, a Moderate severity vulnerability involving Client Certificate Verification bypass.

The issue stems from a mismatch between the transport layer and the application layer. The report states that “Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field”.

In a multi-tenant environment where Tomcat is configured with several virtual hosts, this discrepancy becomes dangerous. If one virtual host did not require client certificate authentication but another one on the same server did, a malicious actor could exploit the mapping. It was “possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field,” effectively tricking the server into granting unauthorized access.

Rounding out the updates is CVE-2026-24734, another Moderate severity flaw affecting both Apache Tomcat and the Apache Tomcat Native library. While the provided advisory snippet does not dive deep into the technical mechanics, it identifies the flaw as an “OCSP revocation bypass,” meaning the server might fail to properly reject compromised or revoked cryptographic certificates during the authentication process.

To secure web applications against these bypass techniques, the Apache Software Foundation urges users to upgrade their deployments.

Depending on your current release track, apply one of the following mitigations to patch the flaws:

• Tomcat 11: Upgrade to 11.0.18 (or 11.0.15 depending on the specific CVE branch).
• Tomcat 10: Upgrade to 10.1.52 (or 10.1.50 depending on the specific CVE branch).
• Tomcat 9: Upgrade to 9.0.115 (or 9.0.113 depending on the specific CVE branch).
• Tomcat Native: Upgrade to 2.0.12 (for 2.x users) or 1.3.5 (for 1.x users).

Older, End-of-Life (EOL) versions are also affected and should be migrated to supported branches immediately.

Related Posts:

• Encrypted Client Hello can completely prevent operators from tracking the websites users visit
• Apache Tomcat Under Attack: Massive Brute-Force Campaign Targets Manager Interfaces
• Apache Tomcat Patches 4 Flaws: DoS, Privilege Bypass, & Installer Risks Addressed
• Tomcat Flaw CVE-2025-24813 Exploited in the Wild, PoC Released