Primary

Context

Apache Tomcat Digest Authentication Bypass Vulnerability

Vulnerability

Patched

A vulnerability allowing authentication bypass in digest authentication has been identified in Apache Tomcat. This issue affects versions 11.0.0-M1 prior to 11.0.21, 10.1.0-M1 prior to 10.1.54, 9.0.0-M1 prior to 9.0.117, and 8.5.0 prior to 8.5.100. Older, unsupported versions may also be affected. The vulnerability arises because, when DIGEST authentication is enabled, any user not recognized by the configured Realm can be authenticated by presenting the password 'null'.

Impact

Exploitation of this vulnerability allows any unknown user to be authenticated when DIGEST authentication is used, potentially leading to unauthorized access.

Remediation

Users are advised to upgrade to Apache Tomcat 11.0.22, 10.1.55, or 9.0.118.

Added: May 12, 2026, 4:20 PM

Updated: May 12, 2026, 4:20 PM

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

5.0

exploitability

7.6

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

5.0

exploitability

7.6

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Tomcat Digest Authentication Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Tomcat

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating