CVE-2026-55955 | Improper Authentication vulnerability in Apache Tomcat allow…

Description

Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.

Metadata

CVE ID: CVE-2026-55955
State: PUBLISHED
Assigner: apache
Reserved: 2026-06-17 18:04 UTC
Published: 2026-06-29 20:44 UTC
Last updated: 2026-06-29 22:24 UTC
Primary CWE: CWE-287
CWE-287 Improper Authentication
Vendor / Product: Apache Software Foundation / Apache Tomcat
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache Tomcat	—	11.0.0-M1 ≤ 11.0.22, 10.1.0-M1 ≤ 10.1.55, 9.0.13 ≤ 9.0.118, 8.5.38 ≤ 8.5.100 …

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	CWE-287 Improper Authentication

References (1)

https://lists.apache.org/thread/g4p5sf45p3f9r011pwqs9r54yd64s106