CVE-2026-24733 Overview
An Improper Input Validation vulnerability exists in Apache Tomcat that allows attackers to bypass security constraints configured for HTTP methods. The vulnerability stems from Tomcat's failure to limit HTTP/0.9 requests to only the GET method, as required by the specification. When a security constraint is configured to allow HEAD requests to a URI but deny GET requests, an attacker can bypass that constraint by sending a specification-invalid HEAD request using HTTP/0.9, effectively gaining unauthorized access to protected resources.
Critical Impact
Security constraint bypass allowing unauthorized access to protected resources through HTTP/0.9 protocol manipulation.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.14
- Apache Tomcat 10.1.0-M1 through 10.1.49
- Apache Tomcat 9.0.0.M1 through 9.0.112
Discovery Timeline
- 2026-02-17 - CVE-2026-24733 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-24733
Vulnerability Analysis
This vulnerability is classified as CWE-20 (Improper Input Validation) and affects Apache Tomcat's handling of HTTP/0.9 protocol requests. The HTTP/0.9 protocol is an early, simplified version of HTTP that originally only supported the GET method. However, Tomcat's implementation fails to enforce this protocol-level restriction, allowing other HTTP methods to be transmitted using the HTTP/0.9 request format.
The security impact becomes significant when administrators configure method-based security constraints. For example, if an application restricts GET requests to a sensitive endpoint while permitting HEAD requests (often used for cache validation or resource availability checks), an attacker can craft a malformed HTTP/0.9 HEAD request that Tomcat incorrectly processes, bypassing the intended GET restriction.
Root Cause
The root cause lies in Apache Tomcat's HTTP protocol parser, which does not properly validate and restrict HTTP methods when processing HTTP/0.9 requests. The HTTP/0.9 specification only defines the GET method, but Tomcat accepts other methods in this protocol context without proper validation. This allows specification-invalid requests to be processed, circumventing security constraints that rely on accurate method identification.
Attack Vector
An attacker can exploit this vulnerability by sending a crafted HTTP/0.9 request that uses a HEAD method header while leveraging the simplified HTTP/0.9 protocol format. Since HTTP/0.9 requests bypass the method validation logic, the security constraint checking mechanism incorrectly evaluates the request, allowing access to resources that should be protected under GET method restrictions.
The attack requires network access to the vulnerable Tomcat server and knowledge of the security constraint configuration. No authentication is required to exploit this vulnerability, and the attack can be executed with simple HTTP client tools or custom scripts.
Detection Methods for CVE-2026-24733
Indicators of Compromise
- Unusual HTTP/0.9 protocol requests in access logs, particularly those using methods other than GET
- Access log entries showing HEAD requests to endpoints that should only allow specific HTTP methods
- Unexpected successful responses from security-constrained endpoints
- Anomalous traffic patterns with malformed HTTP protocol version indicators
Detection Strategies
- Monitor web server access logs for HTTP/0.9 protocol requests, which are rare in modern environments
- Implement web application firewall (WAF) rules to detect and block HTTP/0.9 requests with non-GET methods
- Configure intrusion detection systems (IDS) to alert on protocol-level anomalies in HTTP traffic
- Audit application access logs for unexpected successful requests to protected resources
Monitoring Recommendations
- Enable detailed HTTP request logging including protocol version information
- Set up alerts for any HTTP/0.9 traffic, as this protocol is obsolete and rarely used legitimately
- Monitor for authentication and authorization failures followed by successful access attempts
- Review security constraint configurations and validate they are functioning as expected
How to Mitigate CVE-2026-24733
Immediate Actions Required
- Upgrade Apache Tomcat to version 11.0.15 or later for the 11.x branch
- Upgrade Apache Tomcat to version 10.1.50 or later for the 10.1.x branch
- Upgrade Apache Tomcat to version 9.0.113 or later for the 9.0.x branch
- Review and audit all security constraints configured in web.xml or programmatically
Patch Information
Apache has released patched versions that properly enforce HTTP method validation for HTTP/0.9 requests. Users should upgrade to the following versions:
| Branch | Fixed Version |
|---|---|
| 11.x | 11.0.15 |
| 10.1.x | 10.1.50 |
| 9.0.x | 9.0.113 |
For additional details, refer to the Apache Mailing List Thread.
Workarounds
- Configure a reverse proxy or load balancer in front of Tomcat to reject HTTP/0.9 requests
- Implement network-level filtering to block HTTP/0.9 protocol traffic
- Review and adjust security constraints to use more restrictive configurations until patching is possible
- Consider temporarily disabling access to sensitive endpoints that rely on method-based security constraints
# Example: Configure Apache HTTP Server as reverse proxy to block HTTP/0.9
# Add to httpd.conf or virtual host configuration
RewriteEngine On
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /.*\ HTTP/0\.9
RewriteRule .* - [F]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
