All CVEs
Vulnerability intelligence

CVE-2026-55957

CWE-304

Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.

CVSS Score
7.3
High
EPSS — Exploit Probability
0.2%
Riskier than 12% of all CVEs
Exploitation
Not in CISA KEV
No federal exploitation record
Remediation
unknown
Check vendor advisories
NVD entry PoC / advisory

1 article across 1 outlet · first covered Jul 1, 2026 · latest Jul 1, 2026

Coverage timeline