Back to overview

CVE-2026-55956

MEDIUM
6.5
CVSS 3.1
Description
Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

Metadata

CVE ID
CVE-2026-55956
State
PUBLISHED
Assigner
apache
Reserved
2026-06-17 18:36 UTC
Published
2026-06-29 20:46 UTC
Last updated
2026-06-30 13:25 UTC
Primary CWE
CWE-285
CWE-285 Improper Authorization
Vendor / Product
Apache Software Foundation / Apache Tomcat
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Apache Software Foundation Apache Tomcat 11.0.0-M1 ≤ 11.0.22, 10.1.0-M1 ≤ 10.1.55, 9.0.0.M1 ≤ 9.0.118, 8.5.0 ≤ 8.5.100 …
Weakness (CWE)
CWESourceDescription
CWE-285 cna CWE-285 Improper Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.5 MEDIUM 3.1 adp CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Back to overview