Vulnerability intelligence
CVE-2026-55957
Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.
CVSS Score
7.3
High
EPSS — Exploit Probability
0.2%
Riskier than 12% of all CVEs
Exploitation
Not in CISA KEV
No federal exploitation record
Remediation
unknown
Check vendor advisories
1 article across 1 outlet · first covered Jul 1, 2026 · latest Jul 1, 2026
Coverage timeline
-
Apache Tomcat fixes auth bypass CVE-2026-55957 in versions 7 to 11securityonline.info · Jul 1, 2026