Apache Tomcat RewriteValve URL Decode Bypass <=11.0.23,<10.1.56,<9.0.119,<8.5.100
CVE-2026-59083 Published on July 14, 2026
Apache Tomcat: Incorrect URL decoding in RewriteValve may allow security control bypass
Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve allowed security constraint bypass for some configurations.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.0.M1 through 9.0.119, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120, which fix the issue.
Weakness Type
What is a Hex Encoding Vulnerability?
The software does not properly handle when all or part of an input has been URL encoded.
CVE-2026-59083 has been classified to as a Hex Encoding vulnerability or weakness.
Products Associated with CVE-2026-59083
Want to know whenever a new CVE is published for Apache Tomcat? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Tomcat:- Version 11.0.0-M1, <= 11.0.23 is affected.
- Version 10.1.0-M1, <= 10.1.56 is affected.
- Version 9.0.0.M1, <= 9.0.119 is affected.
- Version 8.5.0, <= 8.5.100 is affected.
- Before 8.0.0 is unaffected.