CVE-2026-43513: Apache Tomcat Auth Bypass Vulnerability

CVE-2026-43513 Overview

CVE-2026-43513 is an Improper Handling of Case Sensitivity vulnerability [CWE-178] in the LockOutRealm component of Apache Tomcat. The flaw weakens the brute-force protection mechanism that Tomcat applies to authentication attempts against configured realms. Attackers reaching the server over the network can exploit the inconsistency to bypass the account lockout logic without authenticating first.

The issue affects Apache Tomcat 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109. The Apache Software Foundation recommends upgrading to 11.0.22, 10.1.55, or 9.0.118.

Critical Impact

Remote, unauthenticated attackers can bypass LockOutRealm protections, enabling sustained credential brute-force attempts against Apache Tomcat authentication.

Affected Products

• Apache Tomcat 11.0.0-M1 through 11.0.21
• Apache Tomcat 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117
• Apache Tomcat 8.5.0 through 8.5.100 and 7.0.0 through 7.0.109 (end-of-life)

Discovery Timeline

• 2026-05-12 - CVE-2026-43513 published to NVD
• 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2026-43513

Vulnerability Analysis

Apache Tomcat's LockOutRealm wraps an underlying realm to track failed authentication attempts and temporarily lock out usernames that exceed a configurable failure threshold. The component is the primary defense against online password guessing against Tomcat-managed authentication.

CVE-2026-43513 stems from improper handling of case sensitivity when LockOutRealm records and matches failed authentication attempts. Because usernames are compared inconsistently, an attacker can vary the case of a target username to register failures and authentication attempts under distinct keys. The lockout counter for the canonical account never reaches the threshold, and the realm continues to accept new attempts.

The vulnerability impacts confidentiality. The vector reflects a network-reachable issue requiring no privileges or user interaction. Successful exploitation does not directly modify data or disrupt service, but it removes the rate-limiting control that protects credentials managed by Tomcat realms.

Root Cause

The root cause is a case-sensitivity mismatch [CWE-178] between how LockOutRealm keys its failure tracking and how the underlying realm or downstream comparison treats usernames. Identifiers that are semantically equivalent are treated as distinct, fragmenting the failure count across multiple variants of the same account.

Attack Vector

An unauthenticated attacker submits repeated authentication requests over the network against any Tomcat application that uses LockOutRealm. By alternating the case of the username on each attempt (for example, admin, Admin, ADMIN, aDmin), the attacker keeps each per-key counter below the lockout threshold while still validating against the same backing account. This permits a sustained, high-volume credential guessing attack that the realm was designed to prevent.

No verified public proof-of-concept code is currently available. See the Apache Mailing List Thread and the OpenWall OSS-Security Post for vendor details.

Detection Methods for CVE-2026-43513

Indicators of Compromise

• High volumes of failed authentication requests against Tomcat endpoints, particularly the manager, host-manager, or application login URLs.
• Authentication failures for the same logical account using varied case (e.g., admin, ADMIN, Admin) from the same source address or short time window.
• Absence of expected LockOutRealm lockout log entries despite high failure counts for a recognizable account.

Detection Strategies

• Parse Tomcat access logs and catalina.out for repeated 401/403 responses or realm authentication failures grouped by source IP.
• Normalize usernames to lower case during log analysis and aggregate failure counts per canonical identifier rather than per raw string.
• Alert when canonical-username failure counts exceed your policy threshold within a short interval, independent of LockOutRealm state.

Monitoring Recommendations

• Forward Tomcat realm and access logs to a centralized analytics platform and retain them long enough to detect slow brute-force campaigns.
• Correlate authentication failure spikes with successful logins from the same source to identify post-bypass credential compromise.
• Track inventory of Tomcat instances and their versions to prioritize unpatched hosts exposed to untrusted networks.

How to Mitigate CVE-2026-43513

Immediate Actions Required

• Upgrade Apache Tomcat to 11.0.22, 10.1.55, or 9.0.118 as specified by the Apache Software Foundation.
• Retire or isolate Tomcat 8.5.x and 7.0.x deployments, which are end-of-life and will not receive fixes.
• Restrict network access to Tomcat manager, host-manager, and other authenticated endpoints to trusted administrative networks.

Patch Information

The Apache Software Foundation released fixed versions 11.0.22, 10.1.55, and 9.0.118 that correct the case-sensitivity handling in LockOutRealm. Details are available in the Apache Mailing List Thread.

Workarounds

• Place a reverse proxy or web application firewall in front of Tomcat to enforce IP-based rate limiting and account lockout on authentication endpoints.
• Enforce strong, unique credentials and multi-factor authentication for any account authenticated through Tomcat realms.
• Disable or remove unused web applications such as manager and host-manager if they are not required.

# Verify the installed Tomcat version against the fixed releases
$CATALINA_HOME/bin/version.sh | grep "Server number"

# Example: restrict access to the Manager application by remote address
# conf/Catalina/localhost/manager.xml
# <Context privileged="true" docBase="${catalina.home}/webapps/manager">
#   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
#          allow="127\.0\.0\.1|10\.0\.0\.\d+"/>
# </Context>