Posted in

Apache Tomcat Vulnerabilities Enable Authentication Bypass in Enterprise Systems

Introduction

Two newly disclosed Apache Tomcat vulnerabilities are raising urgent concerns across enterprise environments, as they allow attackers to bypass authentication controls protecting web applications. The flaws, tracked as CVE-2026-55957 and CVE-2026-55956, affect multiple widely deployed versions of the servlet container, making these Apache Tomcat vulnerabilities particularly critical for organizations relying on Java-based web infrastructure.

The Apache Software Foundation has confirmed that both issues stem from improper enforcement of security constraints, potentially exposing sensitive endpoints to unauthorized access.

Key Details

The vulnerabilities impact Apache Tomcat versions across three major release branches:

  • CVE-2026-55957 (Important severity):
    • Affects Tomcat 11.0.0-M1 to 11.0.4
    • Affects Tomcat 10.1.0-M1 to 10.1.36
    • Affects Tomcat 9.0.0.M1 to 9.0.100
  • CVE-2026-55956 (Moderate severity):
    • Affects Tomcat 11.0.0-M1 to 11.0.22
    • Affects Tomcat 10.1.0-M1 to 10.1.55
    • Affects Tomcat 9.0.0.M1 to 9.0.118

The Apache Software Foundation has released patches in the following versions:

  • 11.0.5, 10.1.37, 9.0.101 (for CVE-2026-55957)
  • 11.0.23, 10.1.56, 9.0.119 (for CVE-2026-55956)

Security researcher Ilan Toyter is credited with responsibly disclosing the issue.

Notably, there are no viable workarounds, making immediate upgrades the only effective mitigation.

Technical Analysis

Both vulnerabilities originate from flaws in how Apache Tomcat processes <security-constraint> configurations applied to the default servlet.

In secure deployments, administrators often restrict access based on HTTP methods. For example, allowing GET while blocking PUT or DELETE. However, Tomcat’s request-matching logic failed to consistently enforce these method-level restrictions.

CVE-2026-55957: JNDIRealm Authentication Bypass

This flaw specifically affects environments using JNDIRealm with GSSAPI-authenticated bind, commonly used for LDAP-backed authentication.

  • Attackers can bypass authentication controls entirely
  • Security constraints tied to HTTP methods are ignored
  • Protected resources become accessible without valid credentials

From a MITRE ATT&CK perspective, this aligns with:

  • T1190: Exploit Public-Facing Application
  • T1078: Valid Accounts (bypass mechanisms enabling unauthorized access)

CVE-2026-55956: Default Servlet Constraint Bypass

While less severe, this vulnerability affects a broader set of Tomcat versions and persists across more release cycles.

  • Attackers can invoke restricted endpoints using unfiltered HTTP methods
  • Access control policies defined in web.xml may not behave as intended

In both cases, the flaw creates a gap between expected and actual access control enforcement.

Impact and Risks

These vulnerabilities are particularly dangerous in enterprise environments where Apache Tomcat serves as a backend for:

  • Internal administrative portals
  • API endpoints handling sensitive data
  • Identity-integrated applications using LDAP or Active Directory

Potential impacts include:

  • Unauthorized access to sensitive data or admin functions
  • Bypass of authentication layers in enterprise applications
  • Increased attack surface for lateral movement
  • Compliance violations due to broken access controls

Organizations using JNDIRealm integrations are at higher risk, especially in environments relying on Kerberos or GSSAPI for authentication.

Expert Recommendations

Security teams should act immediately to reduce exposure:

  • Upgrade Tomcat to patched versions without delay
  • Audit all web.xml security constraints after patching to confirm enforcement
  • Review applications using the default servlet for sensitive content exposure
  • Validate LDAP and JNDIRealm configurations, especially with GSSAPI bindings
  • Implement web application firewall (WAF) rules to restrict unsafe HTTP methods
  • Monitor access logs for anomalous HTTP method usage (e.g., unexpected PUT/DELETE requests)
  • Integrate detection into SIEM platforms for visibility into suspicious request patterns

For high-security environments, consider adding compensating controls such as API gateways or reverse proxies enforcing strict method filtering.

Industry Context

These Apache Tomcat vulnerabilities reflect a broader pattern in web application security: misconfigurations and subtle logic flaws in access control mechanisms continue to be a leading cause of breaches.

Similar issues have appeared in other Java-based frameworks and middleware, where enforcement gaps between configuration intent and runtime behavior create exploitable conditions.

As organizations increasingly rely on microservices and API-driven architectures, method-level access control becomes more critical—and more error-prone.

This also underscores the importance of continuous validation of security controls, not just their configuration.

Conclusion

The discovery of CVE-2026-55957 and CVE-2026-55956 highlights how even mature platforms like Apache Tomcat can harbor critical access control flaws. With no workarounds available, timely patching is essential.

Organizations should treat these vulnerabilities as high priority, particularly where Tomcat underpins authentication-sensitive applications. Ensuring that access control policies behave as intended is no longer optional—it is foundational to modern application security.

FAQ SECTION

What are CVE-2026-55957 and CVE-2026-55956?

They are Apache Tomcat vulnerabilities that allow attackers to bypass authentication and security constraints due to improper enforcement of HTTP method restrictions.

Which Apache Tomcat versions are affected?

Multiple versions across Tomcat 9, 10.1, and 11 are affected. Organizations should upgrade to the latest patched releases immediately.

How does the authentication bypass work?

The flaws allow attackers to exploit inconsistencies in how Tomcat enforces <security-constraint> rules, enabling access to protected resources using unrestricted HTTP methods.

Is there a workaround for these vulnerabilities?

No. The Apache Software Foundation has confirmed that upgrading to patched versions is the only effective mitigation.

Why is JNDIRealm particularly at risk?

JNDIRealm environments using GSSAPI for LDAP authentication can allow full authentication bypass, making them especially critical to patch.

Leave a Reply

Your email address will not be published. Required fields are marked *