ON June 29, 2026, the Apache Tomcat project disclosed seven vulnerabilities, with the most critical being CVE-2026-55957, which allows attackers to bypass authentication. This affects Tomcat versions 7 to 11. The flaws pose significant risks as Tomcat is widely used for Java web applications. The authentication issue arises from the JNDIRealm skipping a crucial step in GSSAPI authentication. Additional vulnerabilities include authorization flaws and a potential replay attack. Patches have been released for these vulnerabilities, and users are advised to upgrade to the latest versions to mitigate risks.
Apache Tomcat fixes auth bypass CVE-2026-55957 in versions 7 to 11
CyberSIXT Evidence Panel
Article by CyberSIXT