Apache Tomcat - HTTP/2 request headers not validated

GHSA-r29c-68gh-xp6x · BIT-tomcat-2026-41293 · CVE-2026-41293

Published May 12, 2026 · Modified May 19, 2026

Description

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.21
Apache Tomcat 10.1.0-M1 to 10.1.54
Apache Tomcat 9.0.0.M1 to 9.0.117
Older, unsupported versions may also be affected

Description:
HTTP/2 request headers were not validated which may have triggered
unexpected application behaviour if the application (quite reasonably)
assumed that header value exposed through the Servlet API would be
specification compliant.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:

Upgrade to Apache Tomcat 11.0.22 or later
Upgrade to Apache Tomcat 10.1.55 or later
Upgrade to Apache Tomcat 9.0.118 or later

Credit:
This issue was identified by Dawit Jeong (@dawitngoliath)

References

9.8 / 10

CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Packages

Maven/org.apache.tomcat.embed:tomcat-embed-core

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

425 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +405 more

Maven/org.apache.tomcat:tomcat

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

401 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +381 more

Maven/org.apache.tomcat:tomcat-catalina

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

425 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +405 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes