Apache Tomcat - WebSocket authentication header exposure

GHSA-fv25-8xcx-gqjc · BIT-tomcat-2026-42498 · CVE-2026-42498

Published May 12, 2026 · Modified May 19, 2026

Description

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.21
Apache Tomcat 10.1.0-M1 to 10.1.54
Apache Tomcat 9.0.2 to 9.0.117
Older, unsupported versions may also be affected

Description:
If a WebSocket request was redirected after authentication, Tomcat's
WebSocket client would present the most recent authentication header to
the redirect target host.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:

Upgrade to Apache Tomcat 11.0.22 or later
Upgrade to Apache Tomcat 10.1.55 or later
Upgrade to Apache Tomcat 9.0.118 or later

Credit:
This issue was identified by lokerxx

References

7.3 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Packages

Maven/org.apache.tomcat.embed:tomcat-embed-core

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

425 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +405 more

Maven/org.apache.tomcat:tomcat

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

401 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +381 more

Maven/org.apache.tomcat:tomcat-catalina

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

425 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +405 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes