CVE-2026-43515

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/05/12/11	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::

History

15 May 2026, 15:52

Type	Values Removed	Values Added
First Time		Apache tomcat Apache
References	~~() https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb -~~	() https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb - Mailing List, Vendor Advisory
References	~~() http://www.openwall.com/lists/oss-security/2026/05/12/11 -~~	() http://www.openwall.com/lists/oss-security/2026/05/12/11 - Mailing List, Third Party Advisory
CPE		cpe:2.3:a:apache:tomcat::::::::

14 May 2026, 20:17

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1

12 May 2026, 18:17

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2026/05/12/11 -

12 May 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-12 16:16

Updated : 2026-05-15 15:52

NVD link : CVE-2026-43515

Mitre link : CVE-2026-43515

CVE.ORG link : CVE-2026-43515

JSON object : View

Products Affected

apache

tomcat

CWE

CWE-285

Improper Authorization

{"id": "CVE-2026-43515", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-05-12T16:16:18.553", "references": [{"url": "https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/12/11", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue."}], "lastModified": "2026-05-15T15:52:05.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BE0EC99-5BCD-4F7F-8124-4A1734B7BF6B", "versionEndIncluding": "7.0.109", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF43D0D7-FBF3-4D7A-84C4-47B65A75A524", "versionEndIncluding": "8.5.100", "versionStartIncluding": "8.5.0"}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1E5A897C-91F4-449E-984C-7D693B137EED", "versionEndExcluding": "9.0.118", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F289287-8587-4BB3-B4AB-3B5CF4A7D27A", "versionEndExcluding": "10.1.55", "versionStartIncluding": "10.1.0"}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "03FB799D-A66F-4792-A0CF-16D67BB53F08", "versionEndExcluding": "11.0.22", "versionStartIncluding": "11.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}