Overview
The Apache Software Foundation has disclosed two new vulnerabilities in Apache Tomcat, the world’s most widely used Java servlet container. Tracked as CVE‑2026‑55957 and CVE‑2026‑55956, these flaws could allow attackers to bypass authentication and security constraints, exposing sensitive web applications to unauthorized access.

CVE‑2026‑55957 — JNDIRealm Authentication Bypass
Rated Important, this vulnerability affects Tomcat’s JNDIRealm component when configured with GSSAPI‑authenticated bind.
- Root cause: Improper enforcement of security constraints on the default servlet.
- Impact: Configured HTTP methods or omissions within access rules were ignored, allowing attackers to reach protected resources without authentication.
- Affected versions:
- Tomcat 11.0.0‑M1 → 11.0.4
- Tomcat 10.1.0‑M1 → 10.1.36
- Tomcat 9.0.0‑M1 → 9.0.100
- Fix: Upgrade to 11.0.5, 10.1.37, or 9.0.101.
This issue was responsibly disclosed by security researcher Ilan Toyter, underscoring the importance of community‑driven vulnerability reporting.
CVE‑2026‑55956 — Default Servlet Constraint Bypass
Rated Moderate, this flaw shares the same underlying logic defect.
- Root cause: Security constraints defined for the default servlet failed to enforce configured HTTP methods or omissions.
- Impact: Endpoints assumed to be protected by method‑based rules (e.g., restricting PUT or DELETE) remained accessible via unrestricted verbs.
- Affected versions:
- Tomcat 11.0.0‑M1 → 11.0.22
- Tomcat 10.1.0‑M1 → 10.1.55
- Tomcat 9.0.0‑M1 → 9.0.118
- Fix: Upgrade to 11.0.23, 10.1.56, or 9.0.119.
While less severe, CVE‑2026‑55956 affects a broader range of releases, revealing that the defect persisted across multiple development cycles.
Technical Implications
Both vulnerabilities center on Tomcat’s handling of <security‑constraint> definitions applied to the default servlet. When administrators scoped access control to specific HTTP methods, Tomcat’s request‑matching logic failed to honor those restrictions consistently.
In practice, this meant:
- Unauthorized access to sensitive endpoints.
- Privilege escalation via unrestricted HTTP verbs.
- Exposure of administrative functions and configuration interfaces.
Recommended Actions
Organizations running affected Tomcat instances should act immediately:
- Upgrade to patched versions — Apply 11.0.5 / 10.1.37 / 9.0.101 or later for CVE‑2026‑55957, and 11.0.23 / 10.1.56 / 9.0.119 for CVE‑2026‑55956.
- Audit web.xml security constraints to confirm method‑level rules function as intended.
- Review JNDIRealm configurations for GSSAPI bind usage.
- Harden default servlet access by restricting unnecessary HTTP verbs.
- Monitor for unauthorized requests in server logs and SIEM systems.
Since Apache lists no workarounds other than upgrading, patching is the only reliable mitigation.
Expert in the Cloud Insight
The Tomcat vulnerabilities highlight a recurring theme in enterprise security: authentication bypass through misconfigured or incomplete constraint logic. Even moderate‑severity flaws can become critical when they affect default servlets used by thousands of applications.
For security leaders, the lesson is clear — default does not mean safe. Regular code reviews, configuration audits, and rapid patch deployment must be standard practice for any organization running Tomcat in production.
Leave a Reply