Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55955

CVE-2026-55955: Apache Tomcat Auth Bypass Vulnerability

CVE-2026-55955 is an authentication bypass flaw in Apache Tomcat that enables replay attacks against the EncryptionInterceptor. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-55955 Overview

CVE-2026-55955 is an improper authentication vulnerability [CWE-287] in Apache Tomcat that permits replay attacks against the EncryptionInterceptor in the cluster component. Attackers positioned to observe cluster traffic can capture and replay encrypted messages between clustered Tomcat nodes. The flaw affects Apache Tomcat versions 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. The Apache Software Foundation released fixes in 11.0.23, 10.1.56, and 9.0.119.

Critical Impact

An attacker with network access to cluster communications can replay captured messages, undermining the confidentiality and integrity guarantees that EncryptionInterceptor is intended to provide for inter-node session replication.

Affected Products

  • Apache Tomcat 11.0.0-M1 through 11.0.22
  • Apache Tomcat 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18
  • Apache Tomcat 8.5.38 through 8.5.100, 7.0.100 through 7.0.109

Discovery Timeline

  • 2026-06-29 - CVE-2026-55955 published to the National Vulnerability Database (NVD)
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-55955

Vulnerability Analysis

Apache Tomcat's cluster component supports session replication and state sharing between nodes. The EncryptionInterceptor sits in the interceptor chain and encrypts cluster messages to protect them from eavesdropping and tampering on the wire. The interceptor uses symmetric encryption with a shared key configured across cluster members.

The vulnerability stems from missing anti-replay protection in the interceptor's message handling. Although payloads are encrypted, the design does not authenticate the freshness of each message with a nonce, sequence number, or timestamp binding that the receiver validates. An attacker who can observe cluster traffic can capture ciphertext frames and re-send them to a cluster node, which decrypts and processes the replayed message as if it were legitimate.

The issue is categorized under [CWE-287] Improper Authentication because message authenticity, not just confidentiality, is the missing property. Exploitation requires network access to the cluster multicast or TCP channel used for replication.

Root Cause

The EncryptionInterceptor provides encryption but lacks a replay-resistant authentication construct. Without a verified sequence counter or per-message nonce tracked at the receiver, identical ciphertext can be re-injected and accepted by peer nodes.

Attack Vector

The attack vector is network-based with low attack complexity and no privileges or user interaction required. An attacker positioned on the cluster network segment captures encrypted replication frames and replays them to a cluster member. Replayed session updates can alter application state, resurrect stale session data, or trigger side effects tied to processed cluster events. Confidentiality and integrity impacts are limited in scope, while availability is not directly affected.

No public proof-of-concept exploit is currently listed in Exploit-DB, and the vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog. EPSS data places exploitation likelihood in the lower percentile as of the July 2026 scoring.

Detection Methods for CVE-2026-55955

Indicators of Compromise

  • Duplicate cluster replication messages appearing within short intervals on the same channel.
  • Session state anomalies such as reappearance of expired sessions or unexpected attribute rollbacks across nodes.
  • Unexpected hosts sourcing traffic on the cluster multicast address or replication TCP port.

Detection Strategies

  • Inspect Tomcat cluster logs for repeated message identifiers and out-of-order replication events after enabling verbose interceptor logging.
  • Deploy network intrusion detection signatures that flag repeated identical payloads on the configured cluster port.
  • Correlate application-layer session events with cluster replication frames to spot mismatches indicative of replay.

Monitoring Recommendations

  • Baseline normal cluster message rates and alert on anomalous bursts or duplicates on the replication channel.
  • Restrict and monitor access to the cluster network segment, alerting on any new peer joining the multicast group.
  • Track Tomcat version inventory across the estate to confirm no vulnerable instances remain in production.

How to Mitigate CVE-2026-55955

Immediate Actions Required

  • Upgrade Apache Tomcat to version 11.0.23, 10.1.56, or 9.0.119 as specified in the Apache advisory.
  • Isolate cluster replication traffic on a dedicated, access-controlled network segment or VLAN.
  • Rotate the shared encryption key used by EncryptionInterceptor after patching all cluster members.

Patch Information

The Apache Software Foundation released fixed builds in Apache Tomcat 11.0.23, 10.1.56, and 9.0.119. Users on Tomcat 8.5.x and 7.0.x branches, which are end-of-life, should migrate to a supported and patched branch. See the Apache Mailing List Thread and the OpenWall OSS Security Post for the vendor announcement.

Workarounds

  • Restrict cluster communication to trusted hosts using firewall rules and network segmentation until patches are applied.
  • Terminate cluster traffic over a mutually authenticated transport such as an IPsec tunnel to prevent third-party replay on the wire.
  • Disable the cluster component in server.xml if session replication is not required by the deployment.
bash
# Verify installed Apache Tomcat version and confirm patched build
$CATALINA_HOME/bin/version.sh | grep "Server number"

# Example firewall restriction limiting cluster replication port to trusted peers
iptables -A INPUT -p tcp --dport 4000 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 4000 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.