Primary

Context

Apache Tomcat Improper Authorization Vulnerability in HTTP Method Constraints

Vulnerability

Patched

A vulnerability has been identified in Apache Tomcat that allows improper authorization when multiple method constraints are defined for the same extension pattern. This issue affects Apache Tomcat versions 11.0.0-M1 prior to 11.0.21, 10.1.0-M1 prior to 10.1.54, 9.0.0-M1 prior to 9.0.117, 8.5.0 prior to 8.5.100, and 7.0.0 prior to 7.0.109. In the affected versions, only the first method constraint is applied, potentially leading to unauthorized access.

Impact

This vulnerability can result in security constraints not being correctly enforced, allowing unauthorized users to access resources or methods they should not be able to.

Remediation

Users are advised to upgrade to Apache Tomcat versions 11.0.22, 10.1.55, or 9.0.118.

Added: May 12, 2026, 4:18 PM

Updated: May 12, 2026, 4:18 PM

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

0.6

exploitability

7.6

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

0.6

exploitability

7.6

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Tomcat Improper Authorization Vulnerability in HTTP Method Constraints

Vulnerability

Impact

Remediation

Affected Products

Apache Tomcat

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating