Skip to content
CVSS 9.1 · CRITICAL

CVE-2026-43515

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

View on NVD

Analysis

Apache Tomcat versions 7 through 11 are vulnerable to an authorization bypass (CVE-2026-43515). This flaw allows attackers to potentially access protected resources by exploiting how the server handles overlapping HTTP method constraints. Users should upgrade to 11.0.22, 10.1.55, or 9.0.118 to secure their Java web applications.

Severity

Score: 9.1(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: NONE
Weakness (CWE): CWE-285

EPSS

Probability of exploitation (next 30 days): 0.0002 (0.0%)
Percentile: 4.3%
EPSS: 2026-05-14

Technical description

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Published: 5/12/2026, 4:16:18 PM
Last modified: 5/14/2026, 8:17:05 PM

References

HomeEventsBlogResourcesTeam