CVE-2026-43515

EUVD-2026-29519
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
Affected Products (NVD)
VendorProductVersion
apachetomcat
7.0.0 ≤
𝑥
≤ 7.0.109
apachetomcat
8.5.0 ≤
𝑥
≤ 8.5.100
apachetomcat
9.0.0 ≤
𝑥
< 9.0.118
apachetomcat
10.1.0 ≤
𝑥
< 10.1.55
apachetomcat
11.0.0 ≤
𝑥
< 11.0.22
𝑥
= Vulnerable software versions
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
tomcat10
suse enterprise sap 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP7
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP7
10.1.55-150200.5.67.1
fixed
tomcat10-admin-webapps
suse enterprise sap 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP7
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP7
10.1.55-150200.5.67.1
fixed
tomcat10-el-5_0-api
suse enterprise sap 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP7
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP7
10.1.55-150200.5.67.1
fixed
tomcat10-jsp-3_1-api
suse enterprise sap 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP7
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP7
10.1.55-150200.5.67.1
fixed
tomcat10-lib
suse enterprise sap 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP7
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP7
10.1.55-150200.5.67.1
fixed
tomcat10-servlet-6_0-api
suse enterprise sap 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP7
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP7
10.1.55-150200.5.67.1
fixed
tomcat10-webapps
suse enterprise sap 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise sap 15 SP7
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP5
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP6
10.1.55-150200.5.67.1
fixed
suse enterprise server 15 SP7
10.1.55-150200.5.67.1
fixed
tomcat11
suse enterprise sap 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise sap 15 SP7
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP7
11.0.22-150600.13.21.1
fixed
tomcat11-admin-webapps
suse enterprise sap 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise sap 15 SP7
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP7
11.0.22-150600.13.21.1
fixed
tomcat11-el-6_0-api
suse enterprise sap 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise sap 15 SP7
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP7
11.0.22-150600.13.21.1
fixed
tomcat11-jsp-4_0-api
suse enterprise sap 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise sap 15 SP7
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP7
11.0.22-150600.13.21.1
fixed
tomcat11-lib
suse enterprise sap 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise sap 15 SP7
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP7
11.0.22-150600.13.21.1
fixed
tomcat11-servlet-6_1-api
suse enterprise sap 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise sap 15 SP7
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP7
11.0.22-150600.13.21.1
fixed
tomcat11-webapps
suse enterprise sap 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise sap 15 SP7
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP6
11.0.22-150600.13.21.1
fixed
suse enterprise server 15 SP7
11.0.22-150600.13.21.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
tomcat10
Amazon Linux 2023
1:10.1.55-1.amzn2023.0.1
fixed
tomcat10-admin-webapps
Amazon Linux 2023
1:10.1.55-1.amzn2023.0.1
fixed
tomcat10-docs-webapp
Amazon Linux 2023
1:10.1.55-1.amzn2023.0.1
fixed
tomcat10-el-5.0-api
Amazon Linux 2023
1:10.1.55-1.amzn2023.0.1
fixed
tomcat10-jsp-3.1-api
Amazon Linux 2023
1:10.1.55-1.amzn2023.0.1
fixed
tomcat10-lib
Amazon Linux 2023
1:10.1.55-1.amzn2023.0.1
fixed
tomcat10-servlet-6.0-api
Amazon Linux 2023
1:10.1.55-1.amzn2023.0.1
fixed
tomcat10-webapps
Amazon Linux 2023
1:10.1.55-1.amzn2023.0.1
fixed
tomcat9
Amazon Linux 2023
1:9.0.118-1.amzn2023.0.1
fixed
tomcat9-admin-webapps
Amazon Linux 2023
1:9.0.118-1.amzn2023.0.1
fixed
tomcat9-docs-webapp
Amazon Linux 2023
1:9.0.118-1.amzn2023.0.1
fixed
tomcat9-el-3.0-api
Amazon Linux 2023
1:9.0.118-1.amzn2023.0.1
fixed
tomcat9-jsp-2.3-api
Amazon Linux 2023
1:9.0.118-1.amzn2023.0.1
fixed
tomcat9-lib
Amazon Linux 2023
1:9.0.118-1.amzn2023.0.1
fixed
tomcat9-servlet-4.0-api
Amazon Linux 2023
1:9.0.118-1.amzn2023.0.1
fixed
tomcat9-webapps
Amazon Linux 2023
1:9.0.118-1.amzn2023.0.1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb
http://www.openwall.com/lists/oss-security/2026/05/12/11