Apache Tomcat HTTP Request Smuggling via Chunk Extension (pre 11.0.20)
CVE-2026-24880 Published on April 9, 2026
Apache Tomcat: Request smuggling via invalid chunk extension
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Other, unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.
Weakness Type
What is a HTTP Request Smuggling Vulnerability?
When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.
CVE-2026-24880 has been classified to as a HTTP Request Smuggling vulnerability or weakness.
Products Associated with CVE-2026-24880
Want to know whenever a new CVE is published for Apache Tomcat? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Tomcat:- Version 11.0.0-M1, <= 11.0.18 is affected.
- Version 10.1.0-M1, <= 10.1.52 is affected.
- Version 9.0.0.M1, <= 9.0.115 is affected.
- Version 8.5.0, <= 8.5.100 is affected.
- Version 7.0.0, <= 7.0.109 is affected.
- Before 7.0.0 is unknown.
- Version 8.0.0-RC1, <= 8.0.53 is unknown.