Apache Tomcat JNDIRealm GSSAPI Auth Bypass (11.0.4)
CVE-2026-55957 Published on June 29, 2026

Apache Tomcat: Authentication bypass with JNDIRealm and GSSAPI authenticated bind
Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.

Vendor Advisory NVD

Weakness Type

Missing Critical Step in Authentication

The software implements an authentication technique, but it skips a step that weakens the technique. Authentication techniques should follow the algorithms that define them exactly, otherwise authentication can be bypassed or more easily subjected to brute force attacks.


Products Associated with CVE-2026-55957

Want to know whenever a new CVE is published for Apache Tomcat? stack.watch will email you.

 

Affected Versions

Apache Software Foundation Apache Tomcat: