Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55276

CVE-2026-55276: Apache Tomcat Auth Bypass Vulnerability

CVE-2026-55276 is an authentication bypass flaw in Apache Tomcat affecting versions 8.5.0 through 11.0.22. This vulnerability involves incorrect control flow in authorization constraints. Learn about affected versions and patches.

Published:

CVE-2026-55276 Overview

CVE-2026-55276 is an Always-Incorrect Control Flow Implementation vulnerability [CWE-670] in Apache Tomcat. The flaw causes special roles and empty authorisation constraints to be omitted when the effective web.xml is logged. This behavior can obscure the actual security constraints applied to web applications, undermining accurate auditing of deployed access controls.

The issue affects Apache Tomcat 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.0.M1 through 9.0.118, and 8.5.0 through 8.5.100. End-of-life releases may also be impacted. Apache has released fixed versions 11.0.23, 10.1.56, and 9.0.119.

Critical Impact

The vulnerability carries a CVSS score of 9.1 and is exploitable over the network without authentication or user interaction.

Affected Products

  • Apache Tomcat 11.0.0-M1 through 11.0.22
  • Apache Tomcat 10.1.0-M1 through 10.1.55
  • Apache Tomcat 9.0.0.M1 through 9.0.118
  • Apache Tomcat 8.5.0 through 8.5.100

Discovery Timeline

  • 2026-06-29 - CVE-2026-55276 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-55276

Vulnerability Analysis

Apache Tomcat generates an effective web.xml representation that consolidates security constraints, servlet mappings, and role definitions from the deployment descriptor and annotations. When administrators enable logging of this effective descriptor for audit or debugging purposes, the output is expected to accurately reflect the runtime security posture.

The defect resides in the control flow that assembles the logged descriptor. Special roles such as * and **, along with empty <auth-constraint/> elements that deny all access, are omitted from the log output. Operators reviewing the logs therefore see an incomplete view of the enforced security constraints, which can lead to misconfiguration going undetected.

This is classified as [CWE-670] Always-Incorrect Control Flow Implementation, indicating the code path consistently produces incorrect results rather than failing intermittently.

Root Cause

The logging routine that serializes the effective web.xml does not iterate over the full set of authorisation constraint types. Special role identifiers and empty constraint containers are skipped, producing an output that diverges from the constraints actually enforced by the servlet container.

Attack Vector

The vulnerability is exposed over the network according to the CVSS vector. Exploitation does not require privileges or user interaction. Adversaries who can influence deployment reviews or who target environments relying on the logged descriptor for compliance validation can leverage the misleading output to hide unauthorized access paths from defenders.

Refer to the Apache Mailing List Thread and the OpenWall OSS Security Update for authoritative technical details.

Detection Methods for CVE-2026-55276

Indicators of Compromise

  • Effective web.xml log entries that omit <auth-constraint/> blocks or references to the * and ** special roles present in the source deployment descriptor.
  • Discrepancies between deployed WEB-INF/web.xml contents and the effective descriptor written by Tomcat at startup.
  • Unexpected access to resources that should be protected by empty authorisation constraints.

Detection Strategies

  • Compare the on-disk web.xml and annotation-derived constraints against Tomcat's logged effective descriptor to identify missing role or constraint entries.
  • Inventory all Tomcat instances and confirm versions against the fixed releases 11.0.23, 10.1.56, and 9.0.119.
  • Review access logs for successful requests to URL patterns that should be denied by empty <auth-constraint/> elements.

Monitoring Recommendations

  • Ingest Tomcat catalina.out and access logs into a centralized analytics platform for correlation with deployment descriptor baselines.
  • Alert on Tomcat process starts using vulnerable versions identified through software inventory data.
  • Track authentication and authorisation failures on servlet endpoints to detect probing of misconfigured constraints.

How to Mitigate CVE-2026-55276

Immediate Actions Required

  • Upgrade Apache Tomcat to version 11.0.23, 10.1.56, or 9.0.119 based on the deployed major release line.
  • Retire any Tomcat 8.5.x deployments still in production, as this branch is affected and end-of-life.
  • Audit deployed applications for security constraints that rely on special roles or empty <auth-constraint/> elements and validate enforcement at runtime.

Patch Information

Apache published fixed builds addressing CVE-2026-55276 in Tomcat 11.0.23, 10.1.56, and 9.0.119. Details are available in the Apache Mailing List Thread.

Workarounds

  • Do not rely solely on the logged effective web.xml for security auditing until patched; validate constraints by direct HTTP testing of protected URL patterns.
  • Restrict management and log access to authorized administrators to prevent adversaries from using the incomplete output for reconnaissance.
  • Enforce network segmentation and reverse-proxy authentication as a compensating control while upgrades are scheduled.
bash
# Verify installed Tomcat version and confirm it matches a fixed release
$CATALINA_HOME/bin/version.sh | grep -E "Server number|Server version"

# Expected fixed versions: 11.0.23, 10.1.56, or 9.0.119

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.