CVE 9.1 CRITICAL

Apache Tomcat: Security constraints not correctly applied_CVE-2026-43515

May 14, 2026 invoker category_cve
9.1 / 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

AI Analysis

Improper Authorization vulnerability in Apache Tomcat when multiple method constraints define an HTTP method for the same extension

Basic Information

ID CVE-2026-43515
Source apache
Published May 12, 2026 at 15:33
Modified May 14, 2026 at 19:53

Affected Product

Vendor Apache Software Foundation
Product Apache Tomcat
Version 11.0.0-M1
Affected Versions Apache Software Foundation Apache Tomcat 11.0.0-M1
Apache Software Foundation Apache Tomcat 10.1.0-M1
Apache Software Foundation Apache Tomcat 9.0.0.M1
Apache Software Foundation Apache Tomcat 8.5.0
Apache Software Foundation Apache Tomcat 7.0.0

CWE Classification

CWE-285

AI Assessment

AI Score 9.1 / 10
AI Severity Critical
Vendor Apache Software Foundation
Product Apache Tomcat
Version 11.0.0-M1, 10.1.0-M1, 9.0.0.M1, 8.5.0, 7.0.0

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.