Apache Tomcat Flaw via Multiple HTTP Methods (pre-9.0.118/10.1.55/11.0.22)
CVE-2026-43515 Published on May 12, 2026
Apache Tomcat: Security constraints not correctly applied
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Vulnerability Analysis
CVE-2026-43515 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-43515 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-43515
Want to know whenever a new CVE is published for Apache Tomcat? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Tomcat:- Version 11.0.0-M1, <= 11.0.21 is affected.
- Version 10.1.0-M1, <= 10.1.54 is affected.
- Version 9.0.0.M1, <= 9.0.117 is affected.
- Version 8.5.0, <= 8.5.100 is affected.
- Version 7.0.0, <= 7.0.109 is affected.
- Before 7.0.0 is unknown.