Apache Tomcat - Security constraints not correctly applied

GHSA-5m62-pw8w-7w9f · BIT-tomcat-2026-43515 · CVE-2026-43515

Published May 12, 2026 · Modified May 22, 2026

Description

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.21
Apache Tomcat 10.1.0-M1 to 10.1.54
Apache Tomcat 9.0.0.M1 to 9.0.117
Older, unsupported versions may also be affected

Description:
When multiple security constraints defined an HTTP method constraint for
the same extension pattern, only the first method constraint was applied.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:

Upgrade to Apache Tomcat 11.0.22 or later
Upgrade to Apache Tomcat 10.1.55 or later
Upgrade to Apache Tomcat 9.0.118 or later

References

9.1 / 10

CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Packages

Maven/org.apache.tomcat.embed:tomcat-embed-core

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

425 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +405 more

Maven/org.apache.tomcat:tomcat

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

401 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +381 more

Maven/org.apache.tomcat:tomcat-catalina

Fix 10.1.55, 11.0.22, 9.0.118

Introduced 0, 10.1.0-M1, 11.0.0-M1

425 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +405 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes