CVE-2026-43515: Apache Tomcat Auth Bypass Vulnerability

CVE-2026-43515 Overview

CVE-2026-43515 is an Improper Authorization vulnerability [CWE-285] in Apache Tomcat that occurs when multiple method constraints define an HTTP method for the same extension. The flaw allows attackers to bypass intended authorization controls over the network without authentication or user interaction. Affected releases span Tomcat 7.0.0 through 11.0.21, covering most actively deployed major versions. The Apache Software Foundation has released fixed builds in versions 11.0.22, 10.1.55, and 9.0.118.

Critical Impact

Unauthenticated remote attackers can bypass security constraints to access protected resources and modify data served by misconfigured Tomcat web applications.

Affected Products

• Apache Tomcat 11.0.0-M1 through 11.0.21
• Apache Tomcat 10.1.0-M1 through 10.1.54
• Apache Tomcat 9.0.0.M1 through 9.0.117
• Apache Tomcat 8.5.0 through 8.5.100 and 7.0.0 through 7.0.109 (end-of-life branches)

Discovery Timeline

• 2026-05-12 - CVE-2026-43515 published to NVD
• 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2026-43515

Vulnerability Analysis

The vulnerability resides in how Apache Tomcat evaluates <security-constraint> elements defined in web.xml. When multiple <security-constraint> entries reference the same URL pattern based on a file extension and each constraint declares a different HTTP method, Tomcat fails to combine those method constraints correctly. As a result, an HTTP method that should be restricted under one constraint may be evaluated against an unrelated constraint, granting access that the deployer never intended.

This weakness maps to [CWE-285: Improper Authorization]. The flaw is purely server-side and does not depend on the application implementing custom authentication logic. Any Tomcat-deployed application that uses extension-based pattern matching with multiple method-specific constraints is exposed.

The attack vector is network-based, requires no privileges, and needs no user interaction. Successful exploitation impacts both confidentiality and integrity of resources protected by the affected constraints.

Root Cause

The root cause is the constraint-merging logic for declarative security in Tomcat. When two or more <security-constraint> blocks target the same extension pattern and each specifies an <http-method>, Tomcat does not enforce the union of restrictions. Instead, evaluation can resolve to a constraint that permits the request, effectively neutralizing the more restrictive rule.

Attack Vector

An attacker sends HTTP requests for resources matching an extension covered by overlapping method constraints. By selecting an HTTP method whose constraint is incorrectly evaluated, the attacker reaches a resource that should require authentication or a specific role. Because the issue is in container-level authorization, application-layer access checks are not invoked. Technical specifics are described in the Apache Tomcat mailing list announcement and the Openwall OSS Security post.

Detection Methods for CVE-2026-43515

Indicators of Compromise

• Successful HTTP 200 responses to methods such as PUT, DELETE, or POST against extension-mapped resources that should require authentication.
• Access log entries showing unauthenticated requests reaching servlets or files protected by <security-constraint> declarations.
• Modifications to files served by Tomcat web applications without corresponding authenticated session identifiers in logs.

Detection Strategies

• Audit each deployed web.xml for multiple <security-constraint> elements that target the same <url-pattern> extension with different <http-method> values.
• Replay representative HTTP methods against protected extension-mapped URLs in a staging environment and verify the container returns 401 or 403.
• Compare deployed Tomcat versions against the fixed releases 11.0.22, 10.1.55, and 9.0.118 using inventory or software composition analysis tooling.

Monitoring Recommendations

• Forward Tomcat access_log and catalina.out to a centralized log platform and alert on unauthenticated access to URLs declared inside <security-constraint> blocks.
• Track anomalous spikes in non-GET methods targeting static or extension-bound endpoints.
• Correlate web application firewall (WAF) decisions with Tomcat authorization outcomes to identify constraint bypasses.

How to Mitigate CVE-2026-43515

Immediate Actions Required

• Upgrade Apache Tomcat to 11.0.22, 10.1.55, or 9.0.118 as published by the Apache Software Foundation.
• For deployments on end-of-life branches 7.x and 8.5.x, migrate to a supported, patched major version.
• Review every application web.xml for overlapping method constraints and consolidate them into a single <security-constraint> block per URL pattern until patching is complete.

Patch Information

Fixes are available in Apache Tomcat 11.0.22, 10.1.55, and 9.0.118. The Apache project recommends upgrading to one of these versions. Refer to the Apache Tomcat mailing list advisory for the official notice.

Workarounds

• Rewrite affected web.xml files so a single <security-constraint> element enumerates all restricted HTTP methods for a given URL pattern.
• Place an authenticating reverse proxy or WAF in front of Tomcat to enforce method-level access controls independently of the container.
• Disable or remove unused HTTP methods at the connector or proxy layer to reduce the surface available for bypass.

# Configuration example: consolidate method constraints into a single security-constraint
# in WEB-INF/web.xml so Tomcat evaluates them as a unified rule set.
#
# <security-constraint>
#   <web-resource-collection>
#     <web-resource-name>Protected Extension</web-resource-name>
#     <url-pattern>*.jsp</url-pattern>
#     <http-method>GET</http-method>
#     <http-method>POST</http-method>
#     <http-method>PUT</http-method>
#     <http-method>DELETE</http-method>
#   </web-resource-collection>
#   <auth-constraint>
#     <role-name>authenticated</role-name>
#   </auth-constraint>
# </security-constraint>