Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-53404 (GCVE-0-2026-53404)
Vulnerability from cvelistv5 – Published: 2026-06-29 20:39 – Updated: 2026-06-30 12:34
VLAI
EPSS
Title
Apache Tomcat: Bad ornext processing in RewriteValve
Summary
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-670 - Always-Incorrect Control Flow Implementation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/rdhpghgfskrdmw9hq… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2026/0… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Tomcat |
Affected:
11.0.0-M1 , ≤ 11.0.22
(semver)
Affected: 10.1.0-M1 , ≤ 10.1.55 (semver) Affected: 9.0.0.M1 , ≤ 9.0.118 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Unaffected: 0 , < 8.0.0 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-29T22:24:25.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/29/21"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-53404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T12:30:42.750259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:34:20.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Tomcat",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "11.0.22",
"status": "affected",
"version": "11.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.1.55",
"status": "affected",
"version": "10.1.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.118",
"status": "affected",
"version": "9.0.0.M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.5.100",
"status": "affected",
"version": "8.5.0",
"versionType": "semver"
},
{
"lessThan": "8.0.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAlways-Incorrect Control Flow Implementation vulnerability in Apache Tomcat\u0027s rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.\u003c/p\u003e"
}
],
"value": "Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat\u0027s rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-670",
"description": "CWE-670 Always-Incorrect Control Flow Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:39:45.317Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw538smpmz"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache Tomcat: Bad ornext processing in RewriteValve",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-53404",
"datePublished": "2026-06-29T20:39:45.317Z",
"dateReserved": "2026-06-09T08:52:02.309Z",
"dateUpdated": "2026-06-30T12:34:20.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-53404",
"date": "2026-06-30",
"epss": "0.00174",
"percentile": "0.07083"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-53404\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-06-29T21:16:44.527\",\"lastModified\":\"2026-06-30T14:10:09.760\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat\u0027s rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.\\n\\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.\"}],\"affected\":[{\"source\":\"security@apache.org\",\"affectedData\":[{\"vendor\":\"Apache Software Foundation\",\"product\":\"Apache Tomcat\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"11.0.0-M1\",\"lessThanOrEqual\":\"11.0.22\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"10.1.0-M1\",\"lessThanOrEqual\":\"10.1.55\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"9.0.0.M1\",\"lessThanOrEqual\":\"9.0.118\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.5.0\",\"lessThanOrEqual\":\"8.5.100\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"8.0.0\",\"versionType\":\"semver\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-30T12:30:42.750259Z\",\"id\":\"CVE-2026-53404\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-670\"}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw538smpmz\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/06/29/21\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/06/29/21\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-06-29T22:24:25.256Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-53404\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-30T12:30:42.750259Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-30T12:30:35.235Z\"}}], \"cna\": {\"title\": \"Apache Tomcat: Bad ornext processing in RewriteValve\", \"source\": {\"discovery\": \"INTERNAL\"}, \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Tomcat\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.0.0-M1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"11.0.22\"}, {\"status\": \"affected\", \"version\": \"10.1.0-M1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.1.55\"}, {\"status\": \"affected\", \"version\": \"9.0.0.M1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.0.118\"}, {\"status\": \"affected\", \"version\": \"8.5.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.5.100\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"8.0.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw538smpmz\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat\u0027s rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.\\n\\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAlways-Incorrect Control Flow Implementation vulnerability in Apache Tomcat\u0027s rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-670\", \"description\": \"CWE-670 Always-Incorrect Control Flow Implementation\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-06-29T20:39:45.317Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-53404\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-30T12:34:20.821Z\", \"dateReserved\": \"2026-06-09T08:52:02.309Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-06-29T20:39:45.317Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2026-AVI-0817
Vulnerability from certfr_avis - Published: 2026-06-30 - Updated: 2026-06-30
De multiples vulnérabilités ont été découvertes dans Apache Tomcat. Certaines d'entre elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS), un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Tomcat versions 11.0.x ant\u00e9rieures \u00e0 11.0.23",
"product": {
"name": "Tomcat",
"vendor": {
"name": "Apache",
"scada": false
}
}
},
{
"description": "Tomcat versions 10.1.x ant\u00e9rieures \u00e0 10.1.56",
"product": {
"name": "Tomcat",
"vendor": {
"name": "Apache",
"scada": false
}
}
},
{
"description": "Tomcat versions 9.0.x ant\u00e9rieures \u00e0 9.0.119",
"product": {
"name": "Tomcat",
"vendor": {
"name": "Apache",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-55276",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55276"
},
{
"name": "CVE-2026-50229",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50229"
},
{
"name": "CVE-2026-55956",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55956"
},
{
"name": "CVE-2026-55955",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55955"
},
{
"name": "CVE-2026-53434",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53434"
},
{
"name": "CVE-2026-53404",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53404"
}
],
"initial_release_date": "2026-06-30T00:00:00",
"last_revision_date": "2026-06-30T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0817",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Apache Tomcat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS), un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Apache Tomcat",
"vendor_advisories": [
{
"published_at": "2026-06-23",
"title": "Bulletin de s\u00e9curit\u00e9 Apache Tomcat Apache_Tomcat_9.0.119",
"url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.119"
},
{
"published_at": "2026-06-22",
"title": "Bulletin de s\u00e9curit\u00e9 Apache Tomcat Apache_Tomcat_10.1.56",
"url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.56"
},
{
"published_at": "2026-06-22",
"title": "Bulletin de s\u00e9curit\u00e9 Apache Tomcat Apache_Tomcat_11.0.23",
"url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.23"
}
]
}
GHSA-H792-V28V-PPGR
Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-06-30 15:30
VLAI
Details
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
Severity
7.3 (High)
{
"affected": [],
"aliases": [
"CVE-2026-53404"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T21:16:44Z",
"severity": "HIGH"
},
"details": "Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat\u0027s rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.",
"id": "GHSA-h792-v28v-ppgr",
"modified": "2026-06-30T15:30:43Z",
"published": "2026-06-29T21:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53404"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw538smpmz"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/29/21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
RHSA-2026:29203
Vulnerability from csaf_redhat - Published: 2026-06-24 17:15 - Updated: 2026-06-30 15:09Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
tomcat10:
* tomcat10-10.1.56-1.hum1 (noarch)
* tomcat10-admin-webapps-10.1.56-1.hum1 (noarch)
* tomcat10-common-10.1.56-1.hum1 (noarch)
* tomcat10-docs-webapp-10.1.56-1.hum1 (noarch)
* tomcat10-el-5.0-api-10.1.56-1.hum1 (noarch)
* tomcat10-jsp-3.1-api-10.1.56-1.hum1 (noarch)
* tomcat10-lib-10.1.56-1.hum1 (noarch)
* tomcat10-servlet-6.0-api-10.1.56-1.hum1 (noarch)
* tomcat10-user-instance-10.1.56-1.hum1 (noarch)
* tomcat10-webapps-10.1.56-1.hum1 (noarch)
* tomcat10-10.1.56-1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Apache Tomcat's rewrite valve. This vulnerability involves an incorrect control flow implementation where, during the processing of rewrite rules, if the first condition in an OR chain matched, subsequent non-OR conditions were unexpectedly skipped. This can lead to unintended rule processing, potentially allowing for security bypasses or unauthorized access due to misapplied configurations.
6.5 (Medium)
Affected products
Threats
Impact
Moderate
A flaw was found in Apache Tomcat. When configuring Certificate Revocation Lists (CRLs) for a FFM (presumably a specific type of connector), the system fails to detect and act upon an error condition. This oversight could lead to unexpected behavior or a security bypass, as the intended security controls might not be properly enforced.
CWE-390 - Detection of Error Condition Without ActionAffected products
Threats
Impact
Low
A flaw was found in Apache Tomcat. Due to an always-incorrect control flow implementation, special roles and empty authorization constraints were not accurately included when the effective web.xml configuration was logged. This could lead to a security oversight where administrators might misinterpret the actual authorization constraints, potentially impacting the security posture of the application.
CWE-778 - Insufficient LoggingAffected products
Threats
Impact
Low
A flaw was found in Apache Tomcat. An improper authentication vulnerability in the EncryptionInterceptor component allows a remote attacker to perform a replay attack. This could lead to unauthorized access or manipulation of data within the cluster component.
4.2 (Medium)
Affected products
Threats
Impact
Important
References
30 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\ntomcat10:\n * tomcat10-10.1.56-1.hum1 (noarch)\n * tomcat10-admin-webapps-10.1.56-1.hum1 (noarch)\n * tomcat10-common-10.1.56-1.hum1 (noarch)\n * tomcat10-docs-webapp-10.1.56-1.hum1 (noarch)\n * tomcat10-el-5.0-api-10.1.56-1.hum1 (noarch)\n * tomcat10-jsp-3.1-api-10.1.56-1.hum1 (noarch)\n * tomcat10-lib-10.1.56-1.hum1 (noarch)\n * tomcat10-servlet-6.0-api-10.1.56-1.hum1 (noarch)\n * tomcat10-user-instance-10.1.56-1.hum1 (noarch)\n * tomcat10-webapps-10.1.56-1.hum1 (noarch)\n * tomcat10-10.1.56-1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:29203",
"url": "https://access.redhat.com/errata/RHSA-2026:29203"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55955",
"url": "https://access.redhat.com/security/cve/CVE-2026-55955"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55956",
"url": "https://access.redhat.com/security/cve/CVE-2026-55956"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55957",
"url": "https://access.redhat.com/security/cve/CVE-2026-55957"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55276",
"url": "https://access.redhat.com/security/cve/CVE-2026-55276"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-53404",
"url": "https://access.redhat.com/security/cve/CVE-2026-53404"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-53434",
"url": "https://access.redhat.com/security/cve/CVE-2026-53434"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_29203.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-30T15:09:02+00:00",
"generator": {
"date": "2026-06-30T15:09:02+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:29203",
"initial_release_date": "2026-06-24T17:15:25+00:00",
"revision_history": [
{
"date": "2026-06-24T17:15:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-30T09:54:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T15:09:02+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat10-main@noarch",
"product": {
"name": "tomcat10-main@noarch",
"product_id": "tomcat10-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat10@10.1.56-1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat10-main@src",
"product": {
"name": "tomcat10-main@src",
"product_id": "tomcat10-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat10@10.1.56-1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat10-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:tomcat10-main@noarch"
},
"product_reference": "tomcat10-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat10-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:tomcat10-main@src"
},
"product_reference": "tomcat10-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-53404",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"discovery_date": "2026-06-29T21:01:58.363486+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494681"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat\u0027s rewrite valve. This vulnerability involves an incorrect control flow implementation where, during the processing of rewrite rules, if the first condition in an OR chain matched, subsequent non-OR conditions were unexpectedly skipped. This can lead to unintended rule processing, potentially allowing for security bypasses or unauthorized access due to misapplied configurations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache Tomcat: Apache Tomcat: Incorrect control flow in rewrite valve allows unexpected rule processing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in Apache Tomcat\u0027s RewriteValve. When rewrite rules use OR-chained conditions followed by non-OR conditions, the processing logic may not evaluate conditions correctly, potentially allowing unintended rule matches. Exploitation requires the RewriteValve to be enabled with specific OR-chained condition patterns, which is not a default configuration.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-53404"
},
{
"category": "external",
"summary": "RHBZ#2494681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-53404",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53404"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-53404",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53404"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw538smpmz",
"url": "https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw538smpmz"
}
],
"release_date": "2026-06-29T20:39:45.317000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-24T17:15:25+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:29203"
},
{
"category": "workaround",
"details": "This vulnerability only affects Tomcat deployments that use the RewriteValve with OR-chained rewrite conditions. Deployments that do not use the RewriteValve are not affected. Review rewrite rules for OR-chained conditions and test rule evaluation behavior.",
"product_ids": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Apache Tomcat: Apache Tomcat: Incorrect control flow in rewrite valve allows unexpected rule processing"
},
{
"cve": "CVE-2026-53434",
"cwe": {
"id": "CWE-390",
"name": "Detection of Error Condition Without Action"
},
"discovery_date": "2026-06-29T21:01:05.687650+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494668"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat. When configuring Certificate Revocation Lists (CRLs) for a FFM (presumably a specific type of connector), the system fails to detect and act upon an error condition. This oversight could lead to unexpected behavior or a security bypass, as the intended security controls might not be properly enforced.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat: Error condition not handled when configuring CRLs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in Apache Tomcat. When using the FFM-based connector with CRL-based certificate revocation checking, an error in CRL data processing is not handled correctly, potentially allowing revoked certificates to be accepted. This only affects Tomcat 10.1.0-M7+ and 11.x using the FFM connector (Java 22+ Foreign Function \u0026 Memory API) with CRL configuration \u2014 an extremely narrow set of conditions not present in standard Red Hat deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-53434"
},
{
"category": "external",
"summary": "RHBZ#2494668",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494668"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-53434",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53434"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-53434",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53434"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/x510lbq0sfrd1qyo7q3r1mpllgpdcosk",
"url": "https://lists.apache.org/thread/x510lbq0sfrd1qyo7q3r1mpllgpdcosk"
}
],
"release_date": "2026-06-29T20:41:06.948000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-24T17:15:25+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:29203"
},
{
"category": "workaround",
"details": "This vulnerability only affects Tomcat deployments using the FFM-based connector (requires Java 22+) with CRL-based certificate revocation checking. Deployments using the standard NIO/NIO2 connectors or not using CRL checking are not affected.",
"product_ids": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: Apache Tomcat: Error condition not handled when configuring CRLs"
},
{
"cve": "CVE-2026-55276",
"cwe": {
"id": "CWE-778",
"name": "Insufficient Logging"
},
"discovery_date": "2026-06-29T21:01:38.615799+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494675"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat. Due to an always-incorrect control flow implementation, special roles and empty authorization constraints were not accurately included when the effective web.xml configuration was logged. This could lead to a security oversight where administrators might misinterpret the actual authorization constraints, potentially impacting the security posture of the application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in Apache Tomcat. When the effective web.xml logging feature is enabled for debugging, special roles and empty authorization constraints may be omitted from the logged output. This is a logging-only issue with no runtime security impact \u2014 it only affects the accuracy of debug log output for administrators reviewing the effective web.xml configuration.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-55276"
},
{
"category": "external",
"summary": "RHBZ#2494675",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494675"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-55276",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55276"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-55276",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55276"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/jy09xjlzn6r2qwvqoph8vcmf959yq68v",
"url": "https://lists.apache.org/thread/jy09xjlzn6r2qwvqoph8vcmf959yq68v"
}
],
"release_date": "2026-06-29T20:42:23.257000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-24T17:15:25+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:29203"
},
{
"category": "workaround",
"details": "This is a logging-only issue with no runtime security impact. No mitigation is required. Administrators should not rely solely on the effective web.xml debug log output to verify security constraint configuration.",
"product_ids": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow"
},
{
"cve": "CVE-2026-55955",
"cwe": {
"id": "CWE-294",
"name": "Authentication Bypass by Capture-replay"
},
"discovery_date": "2026-06-29T21:01:48.701284+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494678"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat. An improper authentication vulnerability in the EncryptionInterceptor component allows a remote attacker to perform a replay attack. This could lead to unauthorized access or manipulation of data within the cluster component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat: Replay attack via improper authentication in EncryptionInterceptor",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in Apache Tomcat\u0027s EncryptionInterceptor used for Tribes cluster communication. An improper authentication vulnerability allows a replay attack against encrypted cluster messages. Exploitation requires the EncryptionInterceptor to be configured for Tomcat clustering, which is a non-default configuration, and the attacker must have access to the cluster network to capture and replay messages. Apache rates this vulnerability as Low severity. Red Hat has corrected the impact from IMPORTANT to MODERATE \u2014 the original AI-Bot CVSS of 8.2 (AV:N/AC:L) incorrectly scored this as internet-facing with low complexity, when Tribes cluster traffic is adjacent-network (AV:A) and requires non-default clustering configuration (AC:H). The corrected vector is CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.2).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-55955"
},
{
"category": "external",
"summary": "RHBZ#2494678",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494678"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-55955",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55955"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-55955",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55955"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/g4p5sf45p3f9r011pwqs9r54yd64s106",
"url": "https://lists.apache.org/thread/g4p5sf45p3f9r011pwqs9r54yd64s106"
}
],
"release_date": "2026-06-29T20:44:39.779000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-24T17:15:25+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:29203"
},
{
"category": "workaround",
"details": "This vulnerability only affects Tomcat deployments using the EncryptionInterceptor for Tribes cluster communication. Deployments that do not use Tomcat clustering or do not configure the EncryptionInterceptor are not affected. Ensure cluster communication channels are restricted to trusted, isolated networks.",
"product_ids": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:tomcat10-main@noarch",
"Red Hat Hardened Images:tomcat10-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: Apache Tomcat: Replay attack via improper authentication in EncryptionInterceptor"
}
]
}
RHSA-2026:32960
Vulnerability from csaf_redhat - Published: 2026-06-29 09:02 - Updated: 2026-06-30 15:09Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
tomcat11:
* tomcat11-11.0.23-0.1.hum1 (noarch)
* tomcat11-admin-webapps-11.0.23-0.1.hum1 (noarch)
* tomcat11-common-11.0.23-0.1.hum1 (noarch)
* tomcat11-docs-webapp-11.0.23-0.1.hum1 (noarch)
* tomcat11-el-6.0-api-11.0.23-0.1.hum1 (noarch)
* tomcat11-jsp-4.0-api-11.0.23-0.1.hum1 (noarch)
* tomcat11-lib-11.0.23-0.1.hum1 (noarch)
* tomcat11-servlet-6.1-api-11.0.23-0.1.hum1 (noarch)
* tomcat11-user-instance-11.0.23-0.1.hum1 (noarch)
* tomcat11-webapps-11.0.23-0.1.hum1 (noarch)
* tomcat11-11.0.23-0.1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Apache Tomcat. This vulnerability, known as Cross-Site Scripting (XSS), allows a remote attacker to inject malicious scripts into the 'number guess example' web page. When other users view the compromised page, these scripts can execute in their web browsers. This could lead to unauthorized access to sensitive information or allow an attacker to alter the content of the website.
5.4 (Medium)
Affected products
Threats
Impact
Moderate
A flaw was found in Apache Tomcat's rewrite valve. This vulnerability involves an incorrect control flow implementation where, during the processing of rewrite rules, if the first condition in an OR chain matched, subsequent non-OR conditions were unexpectedly skipped. This can lead to unintended rule processing, potentially allowing for security bypasses or unauthorized access due to misapplied configurations.
6.5 (Medium)
Affected products
Threats
Impact
Moderate
A flaw was found in Apache Tomcat. When configuring Certificate Revocation Lists (CRLs) for a FFM (presumably a specific type of connector), the system fails to detect and act upon an error condition. This oversight could lead to unexpected behavior or a security bypass, as the intended security controls might not be properly enforced.
CWE-390 - Detection of Error Condition Without ActionAffected products
Threats
Impact
Low
A flaw was found in Apache Tomcat. Due to an always-incorrect control flow implementation, special roles and empty authorization constraints were not accurately included when the effective web.xml configuration was logged. This could lead to a security oversight where administrators might misinterpret the actual authorization constraints, potentially impacting the security posture of the application.
CWE-778 - Insufficient LoggingAffected products
Threats
Impact
Low
A flaw was found in Apache Tomcat. An improper authentication vulnerability in the EncryptionInterceptor component allows a remote attacker to perform a replay attack. This could lead to unauthorized access or manipulation of data within the cluster component.
4.2 (Medium)
Affected products
Threats
Impact
Important
References
36 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\ntomcat11:\n * tomcat11-11.0.23-0.1.hum1 (noarch)\n * tomcat11-admin-webapps-11.0.23-0.1.hum1 (noarch)\n * tomcat11-common-11.0.23-0.1.hum1 (noarch)\n * tomcat11-docs-webapp-11.0.23-0.1.hum1 (noarch)\n * tomcat11-el-6.0-api-11.0.23-0.1.hum1 (noarch)\n * tomcat11-jsp-4.0-api-11.0.23-0.1.hum1 (noarch)\n * tomcat11-lib-11.0.23-0.1.hum1 (noarch)\n * tomcat11-servlet-6.1-api-11.0.23-0.1.hum1 (noarch)\n * tomcat11-user-instance-11.0.23-0.1.hum1 (noarch)\n * tomcat11-webapps-11.0.23-0.1.hum1 (noarch)\n * tomcat11-11.0.23-0.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:32960",
"url": "https://access.redhat.com/errata/RHSA-2026:32960"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55955",
"url": "https://access.redhat.com/security/cve/CVE-2026-55955"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55956",
"url": "https://access.redhat.com/security/cve/CVE-2026-55956"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55957",
"url": "https://access.redhat.com/security/cve/CVE-2026-55957"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-55276",
"url": "https://access.redhat.com/security/cve/CVE-2026-55276"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-53404",
"url": "https://access.redhat.com/security/cve/CVE-2026-53404"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-50229",
"url": "https://access.redhat.com/security/cve/CVE-2026-50229"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-53434",
"url": "https://access.redhat.com/security/cve/CVE-2026-53434"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_32960.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-06-30T15:09:04+00:00",
"generator": {
"date": "2026-06-30T15:09:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:32960",
"initial_release_date": "2026-06-29T09:02:11+00:00",
"revision_history": [
{
"date": "2026-06-29T09:02:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-30T09:54:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T15:09:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat11-main@noarch",
"product": {
"name": "tomcat11-main@noarch",
"product_id": "tomcat11-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat11@11.0.23-0.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat11-main@src",
"product": {
"name": "tomcat11-main@src",
"product_id": "tomcat11-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat11@11.0.23-0.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat11-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:tomcat11-main@noarch"
},
"product_reference": "tomcat11-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat11-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:tomcat11-main@src"
},
"product_reference": "tomcat11-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-50229",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-06-29T21:02:24.415552+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494688"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat. This vulnerability, known as Cross-Site Scripting (XSS), allows a remote attacker to inject malicious scripts into the \u0027number guess example\u0027 web page. When other users view the compromised page, these scripts can execute in their web browsers. This could lead to unauthorized access to sensitive information or allow an attacker to alter the content of the website.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat: Cross-Site Scripting vulnerability in number guess example",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in Apache Tomcat. A Cross-Site Scripting (XSS) vulnerability exists in the \"number guess\" example web application shipped with Tomcat. An attacker can inject malicious scripts into the example page, which execute in other users\u0027 browsers when they view the page. This vulnerability only affects the example web application, not the Tomcat servlet container itself. Red Hat Tomcat packages do not deploy example applications by default \u2014 they are in separate optional packages (e.g., tomcat-webapps) that are not installed in production environments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-50229"
},
{
"category": "external",
"summary": "RHBZ#2494688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494688"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-50229",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50229"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-50229",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50229"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/wlt2no8bw45zl1w8byop4zfqphldf5j0",
"url": "https://lists.apache.org/thread/wlt2no8bw45zl1w8byop4zfqphldf5j0"
}
],
"release_date": "2026-06-29T20:36:24.683000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T09:02:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:32960"
},
{
"category": "workaround",
"details": "Remove or disable the Tomcat example web applications if they are deployed. Example applications are not needed for production use and should not be accessible in production environments.",
"product_ids": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tomcat: Apache Tomcat: Cross-Site Scripting vulnerability in number guess example"
},
{
"cve": "CVE-2026-53404",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"discovery_date": "2026-06-29T21:01:58.363486+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494681"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat\u0027s rewrite valve. This vulnerability involves an incorrect control flow implementation where, during the processing of rewrite rules, if the first condition in an OR chain matched, subsequent non-OR conditions were unexpectedly skipped. This can lead to unintended rule processing, potentially allowing for security bypasses or unauthorized access due to misapplied configurations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache Tomcat: Apache Tomcat: Incorrect control flow in rewrite valve allows unexpected rule processing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in Apache Tomcat\u0027s RewriteValve. When rewrite rules use OR-chained conditions followed by non-OR conditions, the processing logic may not evaluate conditions correctly, potentially allowing unintended rule matches. Exploitation requires the RewriteValve to be enabled with specific OR-chained condition patterns, which is not a default configuration.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-53404"
},
{
"category": "external",
"summary": "RHBZ#2494681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-53404",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53404"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-53404",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53404"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw538smpmz",
"url": "https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw538smpmz"
}
],
"release_date": "2026-06-29T20:39:45.317000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T09:02:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:32960"
},
{
"category": "workaround",
"details": "This vulnerability only affects Tomcat deployments that use the RewriteValve with OR-chained rewrite conditions. Deployments that do not use the RewriteValve are not affected. Review rewrite rules for OR-chained conditions and test rule evaluation behavior.",
"product_ids": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Apache Tomcat: Apache Tomcat: Incorrect control flow in rewrite valve allows unexpected rule processing"
},
{
"cve": "CVE-2026-53434",
"cwe": {
"id": "CWE-390",
"name": "Detection of Error Condition Without Action"
},
"discovery_date": "2026-06-29T21:01:05.687650+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494668"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat. When configuring Certificate Revocation Lists (CRLs) for a FFM (presumably a specific type of connector), the system fails to detect and act upon an error condition. This oversight could lead to unexpected behavior or a security bypass, as the intended security controls might not be properly enforced.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat: Error condition not handled when configuring CRLs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in Apache Tomcat. When using the FFM-based connector with CRL-based certificate revocation checking, an error in CRL data processing is not handled correctly, potentially allowing revoked certificates to be accepted. This only affects Tomcat 10.1.0-M7+ and 11.x using the FFM connector (Java 22+ Foreign Function \u0026 Memory API) with CRL configuration \u2014 an extremely narrow set of conditions not present in standard Red Hat deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-53434"
},
{
"category": "external",
"summary": "RHBZ#2494668",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494668"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-53434",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53434"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-53434",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53434"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/x510lbq0sfrd1qyo7q3r1mpllgpdcosk",
"url": "https://lists.apache.org/thread/x510lbq0sfrd1qyo7q3r1mpllgpdcosk"
}
],
"release_date": "2026-06-29T20:41:06.948000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T09:02:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:32960"
},
{
"category": "workaround",
"details": "This vulnerability only affects Tomcat deployments using the FFM-based connector (requires Java 22+) with CRL-based certificate revocation checking. Deployments using the standard NIO/NIO2 connectors or not using CRL checking are not affected.",
"product_ids": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: Apache Tomcat: Error condition not handled when configuring CRLs"
},
{
"cve": "CVE-2026-55276",
"cwe": {
"id": "CWE-778",
"name": "Insufficient Logging"
},
"discovery_date": "2026-06-29T21:01:38.615799+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494675"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat. Due to an always-incorrect control flow implementation, special roles and empty authorization constraints were not accurately included when the effective web.xml configuration was logged. This could lead to a security oversight where administrators might misinterpret the actual authorization constraints, potentially impacting the security posture of the application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in Apache Tomcat. When the effective web.xml logging feature is enabled for debugging, special roles and empty authorization constraints may be omitted from the logged output. This is a logging-only issue with no runtime security impact \u2014 it only affects the accuracy of debug log output for administrators reviewing the effective web.xml configuration.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-55276"
},
{
"category": "external",
"summary": "RHBZ#2494675",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494675"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-55276",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55276"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-55276",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55276"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/jy09xjlzn6r2qwvqoph8vcmf959yq68v",
"url": "https://lists.apache.org/thread/jy09xjlzn6r2qwvqoph8vcmf959yq68v"
}
],
"release_date": "2026-06-29T20:42:23.257000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T09:02:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:32960"
},
{
"category": "workaround",
"details": "This is a logging-only issue with no runtime security impact. No mitigation is required. Administrators should not rely solely on the effective web.xml debug log output to verify security constraint configuration.",
"product_ids": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: Apache Tomcat: Misleading security logs due to incorrect control flow"
},
{
"cve": "CVE-2026-55955",
"cwe": {
"id": "CWE-294",
"name": "Authentication Bypass by Capture-replay"
},
"discovery_date": "2026-06-29T21:01:48.701284+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2494678"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat. An improper authentication vulnerability in the EncryptionInterceptor component allows a remote attacker to perform a replay attack. This could lead to unauthorized access or manipulation of data within the cluster component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat: Replay attack via improper authentication in EncryptionInterceptor",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in Apache Tomcat\u0027s EncryptionInterceptor used for Tribes cluster communication. An improper authentication vulnerability allows a replay attack against encrypted cluster messages. Exploitation requires the EncryptionInterceptor to be configured for Tomcat clustering, which is a non-default configuration, and the attacker must have access to the cluster network to capture and replay messages. Apache rates this vulnerability as Low severity. Red Hat has corrected the impact from IMPORTANT to MODERATE \u2014 the original AI-Bot CVSS of 8.2 (AV:N/AC:L) incorrectly scored this as internet-facing with low complexity, when Tribes cluster traffic is adjacent-network (AV:A) and requires non-default clustering configuration (AC:H). The corrected vector is CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.2).",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-55955"
},
{
"category": "external",
"summary": "RHBZ#2494678",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494678"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-55955",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55955"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-55955",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55955"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/g4p5sf45p3f9r011pwqs9r54yd64s106",
"url": "https://lists.apache.org/thread/g4p5sf45p3f9r011pwqs9r54yd64s106"
}
],
"release_date": "2026-06-29T20:44:39.779000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-29T09:02:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:32960"
},
{
"category": "workaround",
"details": "This vulnerability only affects Tomcat deployments using the EncryptionInterceptor for Tribes cluster communication. Deployments that do not use Tomcat clustering or do not configure the EncryptionInterceptor are not affected. Ensure cluster communication channels are restricted to trusted, isolated networks.",
"product_ids": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:tomcat11-main@noarch",
"Red Hat Hardened Images:tomcat11-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: Apache Tomcat: Replay attack via improper authentication in EncryptionInterceptor"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…