Primary

Context

Apache Tomcat Open Redirect Vulnerability in LoadBalancerDrainingValve

Vulnerability

Patched

A vulnerability allowing occasional URL redirection to an untrusted site (open redirect) has been identified in Apache Tomcat. This issue arises in versions 11.0.0-M1 prior to 11.0.18, 10.1.0-M1 prior to 10.1.52, 9.0.0.M23 prior to 9.0.115, and 8.5.30 prior to 8.5.100. Other unsupported versions may also be affected. The vulnerability occurs when a Tomcat node in a cluster with the LoadBalancerDrainingValve is in the disabled (draining) state. Under these conditions, a specially crafted URL can redirect to a URI of the attacker's choice.

Impact

Exploitation of this vulnerability can lead to an open redirect, allowing attackers to redirect users to untrusted sites.

Remediation

Users are advised to upgrade to Apache Tomcat 11.0.20, 10.1.53, or 9.0.116.

Added: Apr 9, 2026, 9:22 PM

Updated: Apr 9, 2026, 9:22 PM

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

0.2

exploitability

7.2

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

0.2

exploitability

7.2

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Tomcat Open Redirect Vulnerability in LoadBalancerDrainingValve

Vulnerability

Impact

Remediation

Affected Products

Apache Tomcat

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating