Apache Tomcat
Moderate fix3 remedies
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*, +1 more
Moderate fix3 remedies
- >= 11.0.0-M1, <= 11.0.14
- >= 10.1.0-M1, <= 10.1.49
- >= 9.0.0.M1, <= 9.0.112
Apache Tomcat HTTP/0.9 Request Handling Vulnerability Allowing Security Constraint Bypass
Vulnerability
Patched
A vulnerability in Apache Tomcat related to improper input validation of HTTP/0.9 requests has been identified. Tomcat versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.49, and 9.0.0.M1 through 9.0.112, as well as older, end-of-life versions, are affected. The issue arises because Tomcat did not restrict HTTP/0.9 requests to the GET method. This lack of restriction can be exploited to bypass security constraints. For instance, if a security constraint allows HEAD requests to a URI but denies GET requests, a user could send a HEAD request using HTTP/0.9 to circumvent the restriction on GET requests.
Impact
Exploitation of this vulnerability allows users to bypass security constraints, potentially leading to unauthorized access to resources or actions that should be restricted.
Remediation
Users are advised to upgrade to Apache Tomcat 11.0.15 or later, 10.1.50 or later, or 9.0.113 or later.
Added: Feb 17, 2026, 7:42 PM
Updated: Feb 17, 2026, 7:42 PM
Vulnerability Rating
Custom Algorithm
spread
8.8impact
0.6exploitability
7.6remediation
7.7relevance
3.1threat
0.0urgency
2.9incentive
4.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.