Back to overview

CVE-2026-55957

HIGH
7.3
CVSS 3.1
Description
Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.

Metadata

CVE ID
CVE-2026-55957
State
PUBLISHED
Assigner
apache
Reserved
2026-06-17 19:25 UTC
Published
2026-06-29 20:47 UTC
Last updated
2026-06-30 13:27 UTC
Primary CWE
CWE-304
CWE-304 Missing Critical Step in Authentication
Vendor / Product
Apache Software Foundation / Apache Tomcat
Sources
cve.org  ·  NVD

Severity & Metrics

7.3 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Apache Software Foundation Apache Tomcat 11.0.0-M1 ≤ 11.0.4, 10.1.0-M1 ≤ 10.1.36, 9.0.0.M1 ≤ 9.0.100, 8.5.0 ≤ 8.5.100 …
Weakness (CWE)
CWESourceDescription
CWE-304 cna CWE-304 Missing Critical Step in Authentication
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.3 HIGH 3.1 adp CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Back to overview