Back

Multiple Vulnerabilities Discovered in Tomcat Affecting WebDAV and Authentication

Severity: Medium (Score: 57.8)

Sources: Ubuntu, launchpad.net, Linuxsecurity

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: tomcat, update, issues, webdav, lock, propfind, request

Severity indicators: vulnerabilities, issue

Summary

A series of vulnerabilities in Tomcat were disclosed, impacting versions prior to 9.0.118. Key issues include unbounded reads in WebDAV handling (CVE-2026-41284), improper validation of HTTP/2 headers (CVE-2026-41293), and exposure of WebSocket authentication headers (CVE-2026-42498). These vulnerabilities could allow remote attackers to cause denial of service, crash the server, or bypass authentication. Other vulnerabilities include improper handling of digest authentication (CVE-2026-43512) and case sensitivity issues in LockOutRealm (CVE-2026-43513). The vulnerabilities were published on May 12, 2026, and patches were released shortly thereafter. Users are advised to update to Tomcat version 9.0.118 to mitigate these risks. Key Points: • Tomcat vulnerabilities could lead to denial of service and unauthorized access. • Key CVEs include CVE-2026-41284, CVE-2026-41293, and CVE-2026-42498. • Users should upgrade to Tomcat version 9.0.118 to address these issues.

Detailed Analysis

**Impact** Web servers running Apache Tomcat are affected globally across multiple sectors relying on Java-based web applications. The vulnerabilities enable denial of service, unauthorized access to sensitive credentials, authentication bypass, and potential arbitrary code execution, which can disrupt business operations and expose confidential data. No specific geographic or sectoral impact details were provided. **Technical Details** Exploitation involves sending malformed WebDAV LOCK and PROPFIND requests (CVE-2026-41284) causing excessive memory use and denial of service, manipulating HTTP/2 headers to crash or execute code (CVE-2026-41293), and leveraging improper clearing of HTTP authentication headers during WebSocket upgrades to steal credentials (CVE-2026-42498). Additional issues include digest authentication bypass (CVE-2026-43512), case sensitivity flaws in LockOutRealm (CVE-2026-43513), insecure AJP secret comparison (CVE-2026-43514), and incorrect application of security constraints (CVE-2026-43515). No malware or specific IOCs were reported. **Recommended Response** Apply the Apache Tomcat 9.0.118 update or corresponding vendor patches immediately to remediate all listed CVEs. Harden configurations by reviewing WebDAV and HTTP/2 request handling, and verify authentication mechanisms and security constraints. Monitor for unusual WebSocket connection attempts and abnormal memory consumption indicative of exploitation attempts. No specific detection signatures were provided.

Source articles (3)

  • SUSE Tomcat Important Security Update for Seven Issues 2026-2299 — Linuxsecurity · 2026-06-08
    ## This update for tomcat fixes the following issues Update to Tomcat 9.0.118: * CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162). * CVE-2026-41293: HTTP/2 request hea…
  • USN-8417-1: Tomcat vulnerabilities — Ubuntu · 2026-06-10
    It was discovered that Tomcat did not properly limit the size of WebDAV LOCK and PROPFIND request bodies. A remote attacker could use this issue to cause Tomcat to consume excessive memory, resulting…
  • 10.1.40-1ubuntu1.26.04.1 — launchpad.net · 2026-06-10
    Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Oracle, and provides a "pure Java" HTTP web server environment for Java code to run. . This package contain…

Timeline

  • 2026-05-12 — Multiple Tomcat CVEs published: Seven vulnerabilities in Tomcat were disclosed, affecting various functionalities and security measures.
  • 2026-05-12 — CVE-2026-43512 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-12 — CVE-2026-41293 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-12 — CVE-2026-41284 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-12 — CVE-2026-42498 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-12 — CVE-2026-43515 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-12 — CVE-2026-43514 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-12 — CVE-2026-43513 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-08 — SUSE releases important security update: SUSE issued an update for Tomcat to fix the vulnerabilities, urging users to upgrade to version 9.0.118.
  • 2026-06-10 — Ubuntu publishes security notice: Ubuntu released a security notice detailing the vulnerabilities and their potential impacts on Tomcat.

CVEs

  • CVE-2026-41284
  • CVE-2026-41293
  • CVE-2026-42498
  • CVE-2026-43512
  • CVE-2026-43513
  • CVE-2026-43514
  • CVE-2026-43515

Related entities

  • DDoS (Attack Type)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Tomcat (Platform)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed