CVE-2026-43514: Apache Tomcat Timing Attack Vulnerability

CVE-2026-43514 Overview

CVE-2026-43514 is an Observable Timing Discrepancy vulnerability [CWE-208] in Apache Tomcat affecting the comparison routine used for the Apache JServ Protocol (AJP) secret. The flaw allows a remote attacker to infer information about the configured AJP secret by measuring response time variations during repeated comparison attempts. The vulnerability affects Apache Tomcat versions 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109. Older unsupported releases may also be affected. Apache addressed the issue in versions 11.0.22, 10.1.55, and 9.0.118.

Critical Impact

A network-based attacker can use timing-based side-channel analysis to incrementally recover the AJP shared secret, potentially enabling unauthenticated proxying through the AJP connector.

Affected Products

• Apache Tomcat 11.0.0-M1 through 11.0.21
• Apache Tomcat 10.1.0-M1 through 10.1.54
• Apache Tomcat 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109

Discovery Timeline

• 2026-05-12 - CVE-2026-43514 published to NVD
• 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-43514

Vulnerability Analysis

The vulnerability is a classic side-channel weakness categorized under [CWE-208] (Observable Timing Discrepancy). When Tomcat's AJP connector validates an incoming request's secret attribute, the comparison routine returns as soon as a non-matching byte is encountered. The time required to reject a candidate value therefore correlates with how many leading bytes were correct.

An attacker who can send AJP requests can measure these response time differences across many trials. By iterating candidate bytes and observing which produces the slowest rejection, the attacker incrementally reconstructs the secret. Once the secret is recovered, the attacker can submit forged AJP requests that bypass the authentication check intended to restrict access to the AJP connector.

Successful exploitation is constrained by network jitter and the limited confidentiality impact reflected in the EPSS data, which places the likelihood of observed exploitation in a low range. However, environments exposing the AJP port (default 8009) to untrusted networks face the highest risk.

Root Cause

The AJP secret comparison did not use a constant-time algorithm. Standard byte-by-byte equality checks short-circuit on the first mismatch, leaking ordering information through measurable timing variations.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. The attacker must be able to reach the AJP connector and collect a large number of timing samples to overcome network noise, which contributes to the high attack complexity assessment for this issue.

No public proof-of-concept exploit code is available for CVE-2026-43514. Technical detail is documented in the Apache mailing list announcement and the OpenWall OSS-Security post.

Detection Methods for CVE-2026-43514

Indicators of Compromise

• High volumes of AJP requests originating from a single source IP targeting TCP port 8009 or the configured AJP port.
• Sequences of AJP requests carrying systematically varied secret values with otherwise identical structure.
• Repeated AJP authentication failures logged by the connector over a short interval.

Detection Strategies

• Inspect AJP connector logs for repeated failed secret validations from the same client.
• Apply network-level rules that flag external traffic reaching the AJP port, which is intended for internal reverse-proxy use.
• Correlate AJP request rates with backend latency anomalies that could indicate timing measurement campaigns.

Monitoring Recommendations

• Forward Tomcat catalina.out and access logs to a centralized SIEM or data lake for retention and analytics.
• Alert on unusual AJP request volume or unfamiliar client IPs interacting with the AJP connector.
• Track Tomcat version inventory across hosts to verify patch status against the fixed releases.

How to Mitigate CVE-2026-43514

Immediate Actions Required

• Upgrade Apache Tomcat to version 11.0.22, 10.1.55, or 9.0.118 as appropriate for your deployment.
• Identify any Tomcat 8.5.x or 7.0.x instances still in production and migrate to a supported, patched branch.
• Restrict the AJP connector to loopback or trusted internal interfaces using address="127.0.0.1" on the Connector element.
• Disable the AJP connector entirely if it is not required by the deployment architecture.

Patch Information

Apache published fixes in Tomcat 11.0.22, 10.1.55, and 9.0.118. Refer to the Apache Tomcat security advisory thread for the official remediation guidance.

Workarounds

• Bind the AJP connector to a private network interface and block external access to the AJP port at the firewall.
• Use long, high-entropy values for the AJP secret to increase the cost of timing-based recovery until patching is complete.
• Place a reverse proxy in front of Tomcat that enforces HTTP-only access and terminates AJP traffic at a trusted boundary.

# Configuration example - restrict AJP connector in server.xml
<Connector protocol="AJP/1.3"
           address="127.0.0.1"
           port="8009"
           secretRequired="true"
           secret="REPLACE_WITH_LONG_RANDOM_VALUE"
           redirectPort="8443" />