
Two New Vulnerabilities in Apache Tomcat Pose Authentication Bypass Risk!
Two new security vulnerabilities discovered in the Apache Tomcat platform, which runs millions of web applications worldwide, pose a serious threat to corporate information systems. These vulnerabilities, announced by the Apache Software Foundation, could allow attackers to bypass misconfigured access control rules and gain unauthorized access to protected resources.
These vulnerabilities are registered under identifiers CVE-2026-55957 and CVE-2026-55956 and affect several major versions of Apache Tomcat. Therefore, experts urge all organizations using Tomcat to install security updates as soon as possible.
What Is Apache Tomcat?
Apache Tomcat is one of the most popular open-source servlet containers designed to run web applications built on the Java programming language. It is widely used in corporate information systems, banking services, government information resources, e-commerce platforms, and cloud services.
Tomcat also performs important security functions such as user authentication, session management, and access control in web applications. Therefore, any vulnerability in this platform can create opportunities for unauthorized access to protected data.
CVE-2026-55957: Authentication Bypass via JNDIRealm
The first discovered vulnerability is registered under identifier CVE-2026-55957 and has an Important severity level.
The issue is observed in the JNDIRealm component, especially in configurations that connect to LDAP directory services through GSSAPI authentication.
According to the analysis, Tomcat in some cases does not fully enforce the HTTP method restrictions specified in the security-constraint rules for the Default Servlet.
As a result, access restrictions set by administrators for only certain HTTP methods (such as PUT, DELETE, or POST) may be ignored.
This allows an attacker to access protected resources without authentication.
Affected Versions
This vulnerability has been identified in the following versions:
- Apache Tomcat 11.0.0-M1 – 11.0.4
- Apache Tomcat 10.1.0-M1 – 10.1.36
- Apache Tomcat 9.0.0.M1 – 9.0.100
Unsupported older versions may also be vulnerable.
The issue has been fixed starting with Tomcat versions 11.0.5, 10.1.37, and 9.0.101.
CVE-2026-55956: Default Servlet Security Rules Bypass
The second vulnerability is registered under identifier CVE-2026-55956 and has a Moderate severity level.
The root cause of this vulnerability is almost identical to the first one.
Due to Tomcat’s incorrect processing of <security-constraint> rules set for the Default Servlet, restrictions on HTTP methods are not applied in some cases.
As a result, resources that should be restricted for certain HTTP requests become accessible through other HTTP methods.
This increases the risk of unauthorized access to services or administrative interfaces that administrators believed to be protected.
Affected Versions
This vulnerability affects the following versions:
- Apache Tomcat 11.0.0-M1 – 11.0.22
- Apache Tomcat 10.1.0-M1 – 10.1.55
- Apache Tomcat 9.0.0.M1 – 9.0.118
Unsupported older versions may also be at risk.
The issue has been fixed starting with Tomcat versions 11.0.23, 10.1.56, and 9.0.119.
What Is the Core Issue?
The root cause of both vulnerabilities is related to the mechanism of incorrect enforcement of security-constraint rules in Tomcat.
Typically, administrators use the web.xml configuration file to allow access to certain URLs or resources only through specific HTTP methods.
For example:
- GET requests are allowed;
- PUT and DELETE requests are prohibited.
However, due to the discovered flaw, Tomcat in some situations does not properly validate the restrictions on these methods.
As a result, a possibility arises to access resources considered protected through other HTTP methods.
This can lead to dangerous consequences such as bypassing authentication mechanisms, viewing confidential information, or unauthorized use of administrative functions.
Who Is at Greatest Risk?
According to experts, the following environments are at the highest risk:
- JNDIRealm configurations using LDAP authentication;
- Tomcat servers integrated with Active Directory or LDAP via GSSAPI;
- systems where administrative panels or API services run through the Default Servlet;
- Internet-facing Tomcat servers;
- corporate Java applications running on older versions.
If method-based access control is applied on these servers, the vulnerability may be successfully exploited.
Protection Recommendations
Apache Software Foundation has stated that no temporary mitigation measures or workarounds are available for these vulnerabilities.
Therefore, the only reliable solution is to upgrade to the patched versions.
Experts recommend the following measures:
- upgrade Apache Tomcat to the patched versions as soon as possible;
- after the update, review the security-constraint rules in the web.xml file;
- test whether the HTTP method restrictions are working correctly;
- do not leave administrative interfaces and critical API services directly exposed to the Internet;
- audit LDAP and Active Directory authentication configurations;
- monitor unusual HTTP requests using WAF, SIEM, and EDR systems;
- regularly verify access control rules through security testing and penetration testing.
Conclusion
The CVE-2026-55957 and CVE-2026-55956 vulnerabilities have once again demonstrated how seemingly minor errors in access control mechanisms can pose serious risks to major corporate systems. Particularly when authentication and authorization rules are not functioning correctly, attackers may gain unauthorized access to resources that were considered protected.
Since Apache Tomcat is one of the most widely used Java web platforms worldwide, timely remediation of these vulnerabilities is a top priority for every organization. Administrators are advised to upgrade servers to patched versions, re-audit access control policies, and verify through practical testing that security rules based on HTTP methods are working correctly.



