Back to CVE List

CVE-2026-55957

HIGH SEVERITY

CVSS Score & Metrics

Base Score
7.3 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Vulnerability Description

Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-304
Source
NVD
Vendor
Apache Software Foundation
Product
Apache Tomcat

External References

Discussion (0)

Add Comment

No comments yet. Be the first!