CVE-2026-43514

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y30owqb1m	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/05/12/10	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::

History

14 May 2026, 18:46

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y30owqb1m -~~	() https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y30owqb1m - Mailing List, Vendor Advisory
References	~~() http://www.openwall.com/lists/oss-security/2026/05/12/10 -~~	() http://www.openwall.com/lists/oss-security/2026/05/12/10 - Mailing List, Third Party Advisory
First Time		Apache tomcat Apache
CPE		cpe:2.3:a:apache:tomcat::::::::

13 May 2026, 18:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 3.7

12 May 2026, 18:17

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2026/05/12/10 -

12 May 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-12 16:16

Updated : 2026-05-14 18:46

NVD link : CVE-2026-43514

Mitre link : CVE-2026-43514

CVE.ORG link : CVE-2026-43514

JSON object : View

Products Affected

apache

tomcat

CWE

CWE-208

Observable Timing Discrepancy

{"id": "CVE-2026-43514", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2026-05-12T16:16:18.370", "references": [{"url": "https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y30owqb1m", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/12/10", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-208"}]}], "descriptions": [{"lang": "en", "value": "Observable Timing Discrepancy vulnerability\u00a0when comparing AJP secret in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOlder unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue."}], "lastModified": "2026-05-14T18:46:41.457", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BE0EC99-5BCD-4F7F-8124-4A1734B7BF6B", "versionEndIncluding": "7.0.109", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF43D0D7-FBF3-4D7A-84C4-47B65A75A524", "versionEndIncluding": "8.5.100", "versionStartIncluding": "8.5.0"}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1E5A897C-91F4-449E-984C-7D693B137EED", "versionEndExcluding": "9.0.118", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F289287-8587-4BB3-B4AB-3B5CF4A7D27A", "versionEndExcluding": "10.1.55", "versionStartIncluding": "10.1.0"}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "03FB799D-A66F-4792-A0CF-16D67BB53F08", "versionEndExcluding": "11.0.22", "versionStartIncluding": "11.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}