CRITICAL🇵🇱 Wersja polska

CVE-2026-43512

CVSS 9.8pub. 2026-05-12upd. 2026-05-15

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

🤖 AI Analysis
How it works

The error classified as CWE-592 (Authentication Bypass Issues) concerns the implementation of digest authentication in Apache Tomcat. A remote unauthenticated attacker can exploit the vulnerability over the network without user interaction and without meeting any additional conditions (vector AV:N/AC:L/PR:N/UI:N). The detailed technical mechanism has not been disclosed in the public description — however, it concerns irregularities in the handling of the digest authentication process.

Impact

An attacker can gain unauthorized access to resources protected by digest authentication mechanism, resulting in violation of confidentiality, integrity and availability of data (CVSS rating C:H/I:H/A:H).

Mitigation & patch

Apache Tomcat should be immediately updated to version 11.0.22, 10.1.55 or 9.0.118, which contain the patch. For branches 8.5.x and 7.x, the manufacturer has not indicated patched versions — migration to a supported branch is recommended. As a temporary workaround, consider disabling the digest authentication mechanism or replacing it with another authentication method.

Who is affected

Apache Tomcat in versions: 11.0.0-M1 to 11.0.21, 10.1.0-M1 to 10.1.54, 9.0.0.M1 to 9.0.117, 8.5.0 to 8.5.100 and versions older than 7.0.0 (including older, unsupported versions of the 7.x and earlier branches)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Tomcat

    APP
    Apache
    7.0.0 – 7.0.1098.5.0 – 8.5.1009.0.0 – 9.0.118 (bez)10.1.0 – 10.1.55 (bez)11.0.0 – 11.0.22 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-24813CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych

CVE-2020-1938CRITICAL9.8⚠ KEVten sam produkt

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache To...

CVE-2016-8735CRITICAL9.8⚠ KEVten sam produkt

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5....

CVE-2026-53434CRITICAL9.1ten sam produkt

Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM bas...

CVE-2026-55276CRITICAL9.1ten sam produkt

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty...