Primary

Context

Apache Tomcat Unbounded Resource Allocation Vulnerability in WebDAV LOCK and PROPFIND Handling

Vulnerability

Patched

A vulnerability allowing unbounded resource allocation has been identified in Apache Tomcat's WebDAV LOCK and PROPFIND request handling. This issue affects Apache Tomcat versions 11.0.0-M1 prior to 11.0.21, 10.1.0-M1 prior to 10.1.54, and 9.0.0-M1 prior to 9.0.117. Older, unsupported versions may also be affected. The vulnerability arises because no limit was imposed on the request body for WebDAV LOCK or PROPFIND requests, which were accessible to unauthenticated users.

Impact

Exploitation of this vulnerability could lead to unbounded resource consumption, potentially causing a denial-of-service condition.

Remediation

Users should upgrade to Apache Tomcat 11.0.22 or later, 10.1.55 or later, or 9.0.118 or later.

Added: May 12, 2026, 4:21 PM

Updated: May 12, 2026, 4:21 PM

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

2.5

exploitability

7.6

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

2.5

exploitability

7.6

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Tomcat Unbounded Resource Allocation Vulnerability in WebDAV LOCK and PROPFIND Handling

Vulnerability

Impact

Remediation

Affected Products

Apache Tomcat

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating