Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55956

CVE-2026-55956: Apache Tomcat Auth Bypass Vulnerability

CVE-2026-55956 is an authorization bypass vulnerability in Apache Tomcat that allows attackers to circumvent security constraints on the default servlet. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-55956 Overview

CVE-2026-55956 is an improper authorization vulnerability [CWE-285] in Apache Tomcat. The default servlet ignores any HTTP method or method-omission clause defined inside a security constraint. As a result, requests that should be blocked based on method restrictions can reach protected static resources.

The flaw affects Apache Tomcat versions 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.0.M1 through 9.0.118, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109. End-of-life branches may also be affected. Administrators should upgrade to 11.0.23, 10.1.56, or 9.0.119.

Critical Impact

Attackers can bypass HTTP method-based access controls on the default servlet, exposing static resources intended to be restricted to specific verbs such as GET or POST.

Affected Products

  • Apache Tomcat 11.0.0-M1 through 11.0.22
  • Apache Tomcat 10.1.0-M1 through 10.1.55, and 9.0.0.M1 through 9.0.118
  • Apache Tomcat 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109

Discovery Timeline

  • 2026-06-29 - CVE-2026-55956 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-55956

Vulnerability Analysis

Apache Tomcat enforces access control through <security-constraint> elements declared in web.xml. Each constraint can list HTTP methods via <http-method> or exclude them via <http-method-omission>. This allows administrators to restrict, for example, PUT and DELETE while permitting GET.

The default servlet, which serves static resources, fails to honor the method or method-omission portion of these constraints. Tomcat evaluates the URL pattern but disregards the verb, so a constraint intended to block certain methods applies uniformly or not at all. Attackers can then reach resources under a method the administrator explicitly attempted to restrict.

The issue is reachable over the network without authentication or user interaction. Confidentiality and integrity of static content served by the default servlet are affected, though availability is not directly impacted.

Root Cause

The root cause is missing method-aware authorization logic in the default servlet's constraint evaluation path. The servlet applies pattern-based checks but omits method filtering, breaking the Jakarta Servlet specification's contract for <http-method> and <http-method-omission> elements.

Attack Vector

An unauthenticated remote attacker sends an HTTP request using a verb that a security constraint was intended to block. Because the default servlet ignores the method clause, the request is processed as if no method restriction existed. The attacker can then read or modify static resources beyond the intended policy. See the Apache Mailing List advisory for the complete description.

Detection Methods for CVE-2026-55956

Indicators of Compromise

  • HTTP requests to static resources using methods such as PUT, DELETE, HEAD, or OPTIONS that a web.xml security constraint was configured to restrict.
  • Successful 2xx responses from the default servlet for verbs that should have been rejected with 403 Forbidden.
  • Access log entries showing method-diverse traffic against paths mapped only to the default servlet.

Detection Strategies

  • Compare web.xml security constraints against Tomcat access logs and flag any request where the served method appears in an <http-method> deny list or is excluded by <http-method-omission>.
  • Enumerate all deployed applications and identify constraints that rely on method restrictions for the default servlet, which is where the bypass surfaces.
  • Run authenticated scans against non-production instances using the affected verbs to confirm whether resources respond outside the intended policy.

Monitoring Recommendations

  • Alert on unusual HTTP verb distributions targeting Tomcat static content paths.
  • Track version banners and container inventory to identify hosts still running vulnerable Tomcat releases.
  • Forward Tomcat access and manager logs to a centralized analytics platform for correlation across the fleet.

How to Mitigate CVE-2026-55956

Immediate Actions Required

  • Upgrade Apache Tomcat to 11.0.23, 10.1.56, or 9.0.119 as directed by the vendor advisory.
  • Inventory all Tomcat instances, including embedded deployments in Spring Boot and third-party appliances.
  • Review every web.xml for security constraints that depend on method or method-omission clauses against the default servlet.

Patch Information

The Apache Tomcat project has released fixed versions 11.0.23, 10.1.56, and 9.0.119. Users on branches 8.5.x and 7.0.x are past end of support and should migrate to a supported branch. Refer to the Apache Mailing List advisory and the Openwall OSS Security post for full details.

Workarounds

  • Front Tomcat with a reverse proxy such as Apache HTTPD or NGINX and enforce HTTP method allow-lists at that tier.
  • Replace default-servlet reliance with an application servlet that performs its own method validation for sensitive paths.
  • Restrict access to static resource directories using filesystem permissions or network ACLs until patching completes.
bash
# Example NGINX method allow-list in front of Tomcat
location /static/ {
    limit_except GET HEAD {
        deny all;
    }
    proxy_pass http://tomcat_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.