Apache Tomcat RewriteValve URL Decode Bypass <=11.0.23,<10.1.56,<9.0.119,<8.5.100
CVE-2026-59083 Published on July 14, 2026

Apache Tomcat: Incorrect URL decoding in RewriteValve may allow security control bypass
Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve allowed security constraint bypass for some configurations. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.0.M1 through 9.0.119, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120, which fix the issue.

Vendor Advisory NVD

Weakness Type

What is a Hex Encoding Vulnerability?

The software does not properly handle when all or part of an input has been URL encoded.

CVE-2026-59083 has been classified to as a Hex Encoding vulnerability or weakness.


Products Associated with CVE-2026-59083

Want to know whenever a new CVE is published for Apache Tomcat? stack.watch will email you.

 

Affected Versions

Apache Software Foundation Apache Tomcat: