The Apache Software Foundation has revealed two critical vulnerabilities in Apache Tomcat that could allow attackers to bypass authentication and security constraints, posing significant risks to web applications.
Details of the Discovered Vulnerabilities
Identified as CVE-2026-55957 and CVE-2026-55956, these vulnerabilities affect multiple major versions of the popular servlet container. Enterprises using these versions are strongly advised to implement upgrades promptly to mitigate potential security breaches.
CVE-2026-55957: JNDIRealm Component Flaw
CVE-2026-55957, classified as a vulnerability of important severity, impacts the JNDIRealm component when configured with GSSAPI authenticated bind. The issue arises from improperly enforced security constraints on the default servlet, leading to ignored HTTP methods or omissions in access rules. This oversight allows attackers to access protected resources without authentication.
Affected versions include Apache Tomcat 11.0.0-M1 through 11.0.4, 10.1.0-M1 through 10.1.36, and 9.0.0.M1 through 9.0.100. Users should upgrade to version 11.0.5, 10.1.37, or 9.0.101 or later. The flaw was responsibly disclosed by security researcher Ilan Toyter.
CVE-2026-55956: Default Servlet Security Issue
The second vulnerability, CVE-2026-55956, rated as moderate, shares the root cause of inadequate security constraint enforcement for the default servlet. Although less severe, it affects more versions, indicating a long-standing issue. This flaw was present in Apache Tomcat 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, and 9.0.0.M1 through 9.0.118.
To address this, users should upgrade to version 11.0.23, 10.1.56, or 9.0.119 or later. The vulnerability allows unauthorized access to resources by not respecting method-based restrictions, enabling access using unrestricted HTTP verbs.
Urgent Action Required
Organizations utilizing affected Tomcat versions are urged to prioritize patching, particularly when the default servlet manages sensitive information or JNDIRealm with GSSAPI bind is used for authentication. The Apache Software Foundation recommends no alternative solutions other than upgrading, making it essential for administrators to apply the patched releases immediately.
Post-upgrade, auditing existing security constraints is vital to ensure they now function as intended, preventing unauthorized access effectively. By taking these steps, enterprises can safeguard their web applications from potential exploits.
