Apache Tomcat: AJP secret compared in non-constant time_CVE-2026-43514

3.7 / 10

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Older unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Basic Information

ID CVE-2026-43514

Source apache

Published May 12, 2026 at 15:32

Modified May 13, 2026 at 17:22

Affected Product

Vendor Apache Software Foundation

Product Apache Tomcat

Version 11.0.0-M1

Affected Versions Apache Software Foundation Apache Tomcat 11.0.0-M1
Apache Software Foundation Apache Tomcat 10.1.0-M1
Apache Software Foundation Apache Tomcat 9.0.0.M1
Apache Software Foundation Apache Tomcat 8.5.0
Apache Software Foundation Apache Tomcat 7.0.0

CWE Classification

CWE-208

References

lists.apache.org /thread/2k654v5cq123npfsd1b2kk1y30owqb1m

{
    "lastseen": "",
    "description": "Observable Timing Discrepancy vulnerability\u00a0when comparing AJP secret in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOlder unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.",
    "published": "2026-05-12T15:32:09.858Z",
    "modified": "2026-05-13T17:22:42.246Z",
    "type": "cve",
    "title": "Apache Tomcat: AJP secret compared in non-constant time",
    "source": "apache",
    "references": "https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y30owqb1m",
    "id": "CVE-2026-43514",
    "bulletinFamily": "",
    "cwe": [
        "CWE-208"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Tomcat 11.0.0-M1\nApache Software Foundation Apache Tomcat 10.1.0-M1\nApache Software Foundation Apache Tomcat 9.0.0.M1\nApache Software Foundation Apache Tomcat 8.5.0\nApache Software Foundation Apache Tomcat 7.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 3.7,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Tomcat",
    "version": "11.0.0-M1",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}