Apache Tomcat 11,10,9 Unbounded Resource Allocation VULN (fixed 11.0.22)
CVE-2026-41284 Published on May 12, 2026
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117.
Older, unsupported versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2026-41284
Want to know whenever a new CVE is published for Apache Tomcat? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Tomcat:- Version 11.0.0-M1, <= 11.0.21 is affected.
- Version 10.1.0-M1, <= 10.1.54 is affected.
- Version 9.0.0.M1, <= 9.0.117 is affected.
- Version 10.0.0-M1, <= 10.0.27 is affected.
- Version 8.5.0, <= 8.5.100 is affected.
- Version 4.0, <= 7.0.109 is affected.