CVE-2026-55955 Overview
CVE-2026-55955 is an improper authentication vulnerability [CWE-287] in Apache Tomcat that permits replay attacks against the EncryptionInterceptor in the cluster component. Attackers positioned to observe cluster traffic can capture and replay encrypted messages between clustered Tomcat nodes. The flaw affects Apache Tomcat versions 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. The Apache Software Foundation released fixes in 11.0.23, 10.1.56, and 9.0.119.
Critical Impact
An attacker with network access to cluster communications can replay captured messages, undermining the confidentiality and integrity guarantees that EncryptionInterceptor is intended to provide for inter-node session replication.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.22
- Apache Tomcat 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18
- Apache Tomcat 8.5.38 through 8.5.100, 7.0.100 through 7.0.109
Discovery Timeline
- 2026-06-29 - CVE-2026-55955 published to the National Vulnerability Database (NVD)
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-55955
Vulnerability Analysis
Apache Tomcat's cluster component supports session replication and state sharing between nodes. The EncryptionInterceptor sits in the interceptor chain and encrypts cluster messages to protect them from eavesdropping and tampering on the wire. The interceptor uses symmetric encryption with a shared key configured across cluster members.
The vulnerability stems from missing anti-replay protection in the interceptor's message handling. Although payloads are encrypted, the design does not authenticate the freshness of each message with a nonce, sequence number, or timestamp binding that the receiver validates. An attacker who can observe cluster traffic can capture ciphertext frames and re-send them to a cluster node, which decrypts and processes the replayed message as if it were legitimate.
The issue is categorized under [CWE-287] Improper Authentication because message authenticity, not just confidentiality, is the missing property. Exploitation requires network access to the cluster multicast or TCP channel used for replication.
Root Cause
The EncryptionInterceptor provides encryption but lacks a replay-resistant authentication construct. Without a verified sequence counter or per-message nonce tracked at the receiver, identical ciphertext can be re-injected and accepted by peer nodes.
Attack Vector
The attack vector is network-based with low attack complexity and no privileges or user interaction required. An attacker positioned on the cluster network segment captures encrypted replication frames and replays them to a cluster member. Replayed session updates can alter application state, resurrect stale session data, or trigger side effects tied to processed cluster events. Confidentiality and integrity impacts are limited in scope, while availability is not directly affected.
No public proof-of-concept exploit is currently listed in Exploit-DB, and the vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog. EPSS data places exploitation likelihood in the lower percentile as of the July 2026 scoring.
Detection Methods for CVE-2026-55955
Indicators of Compromise
- Duplicate cluster replication messages appearing within short intervals on the same channel.
- Session state anomalies such as reappearance of expired sessions or unexpected attribute rollbacks across nodes.
- Unexpected hosts sourcing traffic on the cluster multicast address or replication TCP port.
Detection Strategies
- Inspect Tomcat cluster logs for repeated message identifiers and out-of-order replication events after enabling verbose interceptor logging.
- Deploy network intrusion detection signatures that flag repeated identical payloads on the configured cluster port.
- Correlate application-layer session events with cluster replication frames to spot mismatches indicative of replay.
Monitoring Recommendations
- Baseline normal cluster message rates and alert on anomalous bursts or duplicates on the replication channel.
- Restrict and monitor access to the cluster network segment, alerting on any new peer joining the multicast group.
- Track Tomcat version inventory across the estate to confirm no vulnerable instances remain in production.
How to Mitigate CVE-2026-55955
Immediate Actions Required
- Upgrade Apache Tomcat to version 11.0.23, 10.1.56, or 9.0.119 as specified in the Apache advisory.
- Isolate cluster replication traffic on a dedicated, access-controlled network segment or VLAN.
- Rotate the shared encryption key used by EncryptionInterceptor after patching all cluster members.
Patch Information
The Apache Software Foundation released fixed builds in Apache Tomcat 11.0.23, 10.1.56, and 9.0.119. Users on Tomcat 8.5.x and 7.0.x branches, which are end-of-life, should migrate to a supported and patched branch. See the Apache Mailing List Thread and the OpenWall OSS Security Post for the vendor announcement.
Workarounds
- Restrict cluster communication to trusted hosts using firewall rules and network segmentation until patches are applied.
- Terminate cluster traffic over a mutually authenticated transport such as an IPsec tunnel to prevent third-party replay on the wire.
- Disable the cluster component in server.xml if session replication is not required by the deployment.
# Verify installed Apache Tomcat version and confirm patched build
$CATALINA_HOME/bin/version.sh | grep "Server number"
# Example firewall restriction limiting cluster replication port to trusted peers
iptables -A INPUT -p tcp --dport 4000 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 4000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

