Apache Tomcat - Digest authenticator will authenticate any unknown user

GHSA-h6fc-48rj-7qqh · BIT-tomcat-2026-43512 · CVE-2026-43512

Published May 12, 2026 · Modified May 19, 2026

Description

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.21
Apache Tomcat 10.1.0-M1 to 10.1.54
Apache Tomcat 9.0.0.M1 to 9.0.117
Older, unsupported versions may also be affected

Description:
When DIGEST authentication was configured, any user not known to the
configured Realm would be authenticated if they presented the password
"null".

Mitigation:
Users of the affected versions should apply one of the following
mitigations:

Upgrade to Apache Tomcat 11.0.22 or later
Upgrade to Apache Tomcat 10.1.55 or later
Upgrade to Apache Tomcat 9.0.118 or later

References

9.8 / 10

CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Packages

Maven/org.apache.tomcat.embed:tomcat-embed-core

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

425 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +405 more

Maven/org.apache.tomcat:tomcat

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

401 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +381 more

Maven/org.apache.tomcat:tomcat-catalina

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

425 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +405 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes