CVE-2026-55957 Overview
CVE-2026-55957 is an authentication bypass vulnerability in Apache Tomcat affecting the JNDIRealm component when configured to authenticate binds using the Generic Security Services Application Program Interface (GSSAPI). The flaw allows attackers to authenticate to the server without supplying the correct password, breaking the identity verification contract expected by downstream applications. The issue is tracked under [CWE-304: Missing Critical Step in Authentication] and impacts Tomcat release lines 7.x, 8.5.x, 9.0.x, 10.1.x, and 11.0.x. The Apache Tomcat project has published fixed builds in versions 11.0.5, 10.1.37, and 9.0.101.
Critical Impact
Remote unauthenticated attackers can authenticate as legitimate users through misconfigured GSSAPI binds, gaining access to protected application resources without valid credentials.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.4
- Apache Tomcat 10.1.0-M1 through 10.1.36
- Apache Tomcat 9.0.0.M1 through 9.0.100
- Apache Tomcat 8.5.0 through 8.5.100
- Apache Tomcat 7.0.0 through 7.0.109
Discovery Timeline
- 2026-06-29 - CVE-2026-55957 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-55957
Vulnerability Analysis
Apache Tomcat's JNDIRealm integrates the servlet container with directory services such as Active Directory or OpenLDAP for user authentication. When administrators configure the realm to perform authentication through GSSAPI binds against the directory, the code path skips a required step that validates whether the credential exchange actually succeeded. As a result, the realm returns an authenticated principal even when the caller has not proven possession of the password.
This vulnerability falls under [CWE-304], indicating that a step essential to establishing trust in the user's identity was omitted from the authentication logic. Successful exploitation grants the attacker the identity of any username accepted by the realm, exposing servlets, JSP resources, and administrative interfaces protected by the affected realm configuration. The EPSS probability is 0.252% at the 16.4 percentile, and no public proof-of-concept has been observed.
Root Cause
The realm implementation performs a GSSAPI bind against the backing directory but fails to verify the result of the bind operation before returning the authenticated user object. The missing check allows the authentication routine to complete on code paths where the underlying directory did not confirm the credentials.
Attack Vector
Exploitation is remote and network-based. An attacker submits an authentication request to a Tomcat application whose JNDIRealm is configured with useDelegatedCredential or an equivalent GSSAPI bind setting. Because the realm accepts the flow without validating the bind response, the attacker obtains an authenticated session without providing valid credentials.
No verified exploitation code is publicly available. See the Apache Mailing List Thread and the Openwall OSS Security Discussion for technical details.
Detection Methods for CVE-2026-55957
Indicators of Compromise
- Successful authentication events in Tomcat access logs where the username does not correlate with a corresponding successful LDAP or Kerberos bind event on the directory server.
- Session creation for privileged accounts originating from IP addresses outside expected authentication sources.
- Unusual JNDIRealm debug messages showing bind completion without preceding credential validation output.
Detection Strategies
- Compare Tomcat authentication success events against directory service audit logs to identify authentications that lack a matching bind confirmation.
- Enable verbose logging on the org.apache.catalina.realm.JNDIRealm logger and alert on authentications proceeding after failed or absent GSSAPI negotiation steps.
- Inventory Tomcat instances by version and configuration; flag any deployment running affected versions with GSSAPI bind attributes set in server.xml.
Monitoring Recommendations
- Forward Tomcat access and catalina logs to a centralized analytics platform and build correlation rules that pair each successful authentication with a directory-side bind success.
- Track authentication anomalies such as identical accounts logging in from geographically dispersed sources within short intervals.
- Monitor changes to server.xml and realm configuration files for unauthorized modification of authentication settings.
How to Mitigate CVE-2026-55957
Immediate Actions Required
- Upgrade Apache Tomcat to version 11.0.5, 10.1.37, or 9.0.101 depending on the deployed release line.
- Audit every Tomcat instance for JNDIRealm configurations that specify GSSAPI bind authentication and treat those hosts as priority patching targets.
- Rotate credentials and invalidate active sessions for accounts served by affected realms after patching.
Patch Information
The Apache Tomcat project has released fixed builds in versions 11.0.5, 10.1.37, and 9.0.101. Versions 8.5.x and 7.0.x are end-of-life on the affected code lines; operators still running those branches must migrate to a supported version to receive the fix. Details are published in the Apache Mailing List Thread.
Workarounds
- Reconfigure the JNDIRealm to use simple bind or another authentication method that is not affected by the missing GSSAPI validation step, if operational requirements allow.
- Restrict network access to Tomcat authentication endpoints using firewall rules or a reverse proxy that enforces additional identity checks until the patch is applied.
- Place a Web Application Firewall or authenticating reverse proxy in front of Tomcat to require an independent authentication factor for protected resources.
# Verify the running Tomcat version
$CATALINA_HOME/bin/version.sh
# Inspect server.xml for GSSAPI-based JNDIRealm configuration
grep -n "JNDIRealm" $CATALINA_HOME/conf/server.xml
grep -nE "useDelegatedCredential|GSSAPI|gssapi" $CATALINA_HOME/conf/server.xml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

