CVE-2026-55956 Overview
CVE-2026-55956 is an improper authorization vulnerability [CWE-285] in Apache Tomcat. The default servlet ignores any HTTP method or method-omission clause defined inside a security constraint. As a result, requests that should be blocked based on method restrictions can reach protected static resources.
The flaw affects Apache Tomcat versions 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.0.M1 through 9.0.118, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109. End-of-life branches may also be affected. Administrators should upgrade to 11.0.23, 10.1.56, or 9.0.119.
Critical Impact
Attackers can bypass HTTP method-based access controls on the default servlet, exposing static resources intended to be restricted to specific verbs such as GET or POST.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.22
- Apache Tomcat 10.1.0-M1 through 10.1.55, and 9.0.0.M1 through 9.0.118
- Apache Tomcat 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109
Discovery Timeline
- 2026-06-29 - CVE-2026-55956 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-55956
Vulnerability Analysis
Apache Tomcat enforces access control through <security-constraint> elements declared in web.xml. Each constraint can list HTTP methods via <http-method> or exclude them via <http-method-omission>. This allows administrators to restrict, for example, PUT and DELETE while permitting GET.
The default servlet, which serves static resources, fails to honor the method or method-omission portion of these constraints. Tomcat evaluates the URL pattern but disregards the verb, so a constraint intended to block certain methods applies uniformly or not at all. Attackers can then reach resources under a method the administrator explicitly attempted to restrict.
The issue is reachable over the network without authentication or user interaction. Confidentiality and integrity of static content served by the default servlet are affected, though availability is not directly impacted.
Root Cause
The root cause is missing method-aware authorization logic in the default servlet's constraint evaluation path. The servlet applies pattern-based checks but omits method filtering, breaking the Jakarta Servlet specification's contract for <http-method> and <http-method-omission> elements.
Attack Vector
An unauthenticated remote attacker sends an HTTP request using a verb that a security constraint was intended to block. Because the default servlet ignores the method clause, the request is processed as if no method restriction existed. The attacker can then read or modify static resources beyond the intended policy. See the Apache Mailing List advisory for the complete description.
Detection Methods for CVE-2026-55956
Indicators of Compromise
- HTTP requests to static resources using methods such as PUT, DELETE, HEAD, or OPTIONS that a web.xml security constraint was configured to restrict.
- Successful 2xx responses from the default servlet for verbs that should have been rejected with 403 Forbidden.
- Access log entries showing method-diverse traffic against paths mapped only to the default servlet.
Detection Strategies
- Compare web.xml security constraints against Tomcat access logs and flag any request where the served method appears in an <http-method> deny list or is excluded by <http-method-omission>.
- Enumerate all deployed applications and identify constraints that rely on method restrictions for the default servlet, which is where the bypass surfaces.
- Run authenticated scans against non-production instances using the affected verbs to confirm whether resources respond outside the intended policy.
Monitoring Recommendations
- Alert on unusual HTTP verb distributions targeting Tomcat static content paths.
- Track version banners and container inventory to identify hosts still running vulnerable Tomcat releases.
- Forward Tomcat access and manager logs to a centralized analytics platform for correlation across the fleet.
How to Mitigate CVE-2026-55956
Immediate Actions Required
- Upgrade Apache Tomcat to 11.0.23, 10.1.56, or 9.0.119 as directed by the vendor advisory.
- Inventory all Tomcat instances, including embedded deployments in Spring Boot and third-party appliances.
- Review every web.xml for security constraints that depend on method or method-omission clauses against the default servlet.
Patch Information
The Apache Tomcat project has released fixed versions 11.0.23, 10.1.56, and 9.0.119. Users on branches 8.5.x and 7.0.x are past end of support and should migrate to a supported branch. Refer to the Apache Mailing List advisory and the Openwall OSS Security post for full details.
Workarounds
- Front Tomcat with a reverse proxy such as Apache HTTPD or NGINX and enforce HTTP method allow-lists at that tier.
- Replace default-servlet reliance with an application servlet that performs its own method validation for sensitive paths.
- Restrict access to static resource directories using filesystem permissions or network ACLs until patching completes.
# Example NGINX method allow-list in front of Tomcat
location /static/ {
limit_except GET HEAD {
deny all;
}
proxy_pass http://tomcat_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

