Skip to content
CVSS 9.1 · CRITICAL

CVE-2026-43515

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Ver en NVD

Análisis

Apache Tomcat versions 7 through 11 are vulnerable to an authorization bypass (CVE-2026-43515). This flaw allows attackers to potentially access protected resources by exploiting how the server handles overlapping HTTP method constraints. Users should upgrade to 11.0.22, 10.1.55, or 9.0.118 to secure their Java web applications.

Severidad

Puntaje: 9.1(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: NONE
Tipo de falla (CWE): CWE-285

EPSS

Probabilidad de explotación (próx. 30 días): 0.0002 (0.0%)
Percentil: 4.3%
EPSS: 2026-05-14

Descripción técnica

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Publicada: 12/5/2026, 16:16:18
Última modificación: 14/5/2026, 20:17:05

Referencias

InicioEventosBlogRecursosEquipo