CVE-2026-41293: Apache Tomcat Input Validation Flaw

CVE-2026-41293 Overview

CVE-2026-41293 is an improper input validation vulnerability [CWE-20] affecting multiple supported branches of Apache Tomcat. The flaw is reachable over the network without authentication and without user interaction, exposing the servlet container to remote compromise. Affected branches include Tomcat 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 10.0.0-M1 through 10.0.27, and 9.0.0.M1 through 9.0.117. End-of-support releases may also be impacted. The Apache Software Foundation has published an advisory and recommends upgrading to the fixed releases on each supported branch.

Critical Impact

Unauthenticated network attackers can target Apache Tomcat instances to compromise confidentiality, integrity, and availability of the affected server.

Affected Products

• Apache Tomcat 11.0.0-M1 through 11.0.21
• Apache Tomcat 10.1.0-M1 through 10.1.54
• Apache Tomcat 10.0.0-M1 through 10.0.27 and 9.0.0.M1 through 9.0.117

Discovery Timeline

• 2026-05-12 - CVE-2026-41293 published to NVD
• 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2026-41293

Vulnerability Analysis

The vulnerability stems from improper input validation in Apache Tomcat. Tomcat fails to adequately validate attacker-controlled input before processing it within the request handling pipeline. Because the issue is exposed over the network and requires no privileges or user interaction, an attacker can interact directly with a listening Tomcat connector to trigger the flaw.

The weakness is classified under [CWE-20] Improper Input Validation. Successful exploitation can lead to high impact across confidentiality, integrity, and availability, consistent with a server-side compromise of the servlet container. The Exploit Prediction Scoring System (EPSS) currently places the probability of observed exploitation at 0.158%, though this value can shift rapidly once technical details circulate.

The issue affects all currently supported major branches (9.0.x, 10.0.x, 10.1.x, 11.0.x), and the Apache Tomcat team notes that older end-of-life versions may also be affected. Organizations running unsupported Tomcat releases should assume exposure.

Root Cause

The root cause is missing or insufficient validation of input data within Tomcat request processing. Malformed or unexpected input is accepted and processed instead of being rejected at the parsing boundary. This violation of input handling assumptions creates the condition for downstream misuse of the data.

Attack Vector

The attack vector is network-based. An attacker sends crafted requests to a Tomcat connector exposed on HTTP, HTTPS, or AJP. No authentication credentials and no user interaction are required, which makes any internet-reachable Tomcat instance a viable target. See the Apache Mailing List Thread and the OpenWall OSS Security Post for upstream details.

No public proof-of-concept exploit has been released at the time of publication. Defenders should still treat the issue as actively targetable given the trivial attack complexity.

Detection Methods for CVE-2026-41293

Indicators of Compromise

• Unexpected catalina.out errors or stack traces referencing request parsing or connector components.
• Outbound connections from the Tomcat JVM process (java) to unfamiliar hosts shortly after inbound HTTP/AJP traffic.
• New or modified files under webapps/, work/, or temp/ directories that do not correspond to deployment activity.

Detection Strategies

• Inspect web server and reverse proxy logs for malformed requests, abnormal header values, or unusual request line patterns directed at Tomcat connectors.
• Alert on child processes spawned by the Tomcat JVM, such as sh, bash, cmd.exe, or powershell.exe, which indicate post-exploitation activity.
• Correlate inbound requests to Tomcat with subsequent authentication failures, privilege changes, or new listening sockets on the host.

Monitoring Recommendations

• Enable Tomcat access logging with full request URI, headers of interest, and response codes, and forward logs to a centralized analytics platform.
• Monitor the Tomcat process for anomalous CPU, memory, and network behavior consistent with exploitation or webshell activity.
• Track Tomcat version inventory across the estate and flag any host still running an unpatched 9.0.x, 10.0.x, 10.1.x, or 11.0.x build.

How to Mitigate CVE-2026-41293

Immediate Actions Required

• Identify all Apache Tomcat instances and record their exact versions, including embedded Tomcat inside Spring Boot or other application bundles.
• Upgrade affected instances to the fixed release on the corresponding supported branch as published in the Apache advisory.
• Restrict network exposure of Tomcat connectors so that only required clients and reverse proxies can reach them.

Patch Information

Apache has released fixed versions on each supported branch. Refer to the Apache Mailing List Thread for the exact fixed version numbers for branches 9.0.x, 10.0.x, 10.1.x, and 11.0.x. Organizations running end-of-support versions should migrate to a supported branch, since no patches will be backported.

Workarounds

• Place a hardened reverse proxy or web application firewall in front of Tomcat to filter malformed requests until patching is complete.
• Disable the AJP connector if it is not required, or bind it to localhost and configure a secret attribute.
• Limit Tomcat connector exposure with network ACLs so the service is not reachable from untrusted networks.

# Configuration example: restrict AJP connector to loopback in server.xml
<Connector protocol="AJP/1.3"
           address="127.0.0.1"
           port="8009"
           secretRequired="true"
           secret="REPLACE_WITH_STRONG_SECRET"
           redirectPort="8443" />