CVE-2026-24733

17.02.2026, 19:21

Improper Input Validation vulnerability in Apache Tomcat.

Tomcat did not limit HTTP/0.9 requests to the GET method. If a security
constraint was configured to allow HEAD requests to a URI but deny GET
requests, the user could bypass that constraint on GET requests by
sending a (specification invalid) HEAD request using HTTP/0.9.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.

Older, EOL versions are also affected.

Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Debian Releases

Debian Product

Codename

tomcat10

bookworm	vulnerable
bookworm (security)	10.1.52-1~deb12u1 fixed
forky	10.1.52-1 fixed
sid	10.1.52-1 fixed
trixie	vulnerable
trixie (security)	10.1.52-1~deb13u1 fixed

tomcat11

forky	11.0.18-1 fixed
sid	11.0.18-1 fixed
trixie	vulnerable
trixie (security)	11.0.15-1~deb13u1 fixed

tomcat9

bookworm	9.0.70-2 fixed
bullseye	vulnerable
bullseye (security)	9.0.107-0+deb11u2 fixed
forky	9.0.115-1 fixed
sid	9.0.115-1 fixed
trixie	9.0.95-1 fixed

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Vulnerability Media Exposure

[GERMAN] Apache Tomcat und Tomcat Native: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache Tomcat und Tomcat Native ausnutzen, um Informationen offenzulegen und Sicherheitsmaßnahmen zu umgehen.
Published: 2026-02-17T23:00:00+00:00

References

https://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f