Apache Tomcat JNDIRealm GSSAPI Auth Bypass (11.0.4)
CVE-2026-55957 Published on June 29, 2026
Apache Tomcat: Authentication bypass with JNDIRealm and GSSAPI authenticated bind
Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.
Weakness Type
Missing Critical Step in Authentication
The software implements an authentication technique, but it skips a step that weakens the technique. Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks.
Products Associated with CVE-2026-55957
Want to know whenever a new CVE is published for Apache Tomcat? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Tomcat:- Version 11.0.0-M1, <= 11.0.4 is affected.
- Version 10.1.0-M1, <= 10.1.36 is affected.
- Version 9.0.0.M1, <= 9.0.100 is affected.
- Version 8.5.0, <= 8.5.100 is affected.
- Version 7.0.0, <= 7.0.109 is affected.
- Before 7.0.0 is unknown.