HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-55276Published Modified CNA apache

CVE-2026-55276: Apache Tomcat: Logged effective web.xml is incomplete

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An always-incorrect control flow vulnerability in Apache Tomcat causes the effective web.xml security configuration to be logged incompletely, omitting special roles and empty authorization constraints. The flaw is reachable over the network with no authentication required and no user interaction needed. Successful exploitation allows an attacker to read sensitive configuration data and tamper with security-relevant application state, achieving both high confidentiality and high integrity impact. A patched-image rebuild at versions 11.0.23, 10.1.56, or 9.0.119 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Apache and NVD feeds within minutes of publication and matched against all customer images, including custom-built Tomcat base images and images layering Tomcat as a dependency. Any image shipping an affected version of Apache Tomcat (9.x through 11.x in the vulnerable ranges) is flagged immediately.

Available
Triage

HarborGuard scores this CVE at 9.1 CRITICAL using the CVSS v3.1 vector and surfaces it at the top of each affected environment's vulnerability queue. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the team or inbox configured for critical-severity issues within each customer organization.

Available
Patch

A patched-image rebuild at Apache Tomcat versions 11.0.23, 10.1.56, or 9.0.119 becomes available for scanning and deployment once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test suite against the new build, and opens a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Tomcat service over the network; no local or physical access is needed.

  • AuthenticationNot required

    No account or credential of any privilege level is required to trigger the vulnerability.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and does not require any action from a user or administrator.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions or specific memory layout requirements exist.

Blast Radius

  • An attacker reads logged web.xml output that silently omits special roles and empty authorization constraints, gaining an accurate picture of which security rules are actually missing from the deployed configuration.
  • With knowledge of the true (incomplete) authorization model, an attacker identifies unprotected endpoints or resources and accesses data that should be gated behind role checks.
  • An attacker manipulates application behavior or data by targeting endpoints whose empty authorization constraints are invisible in the logged configuration, bypassing expected access controls.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked against all images running Apache Tomcat in the affected version ranges (9.0.0-M1 through 9.0.118, 10.1.0-M1 through 10.1.55, 11.0.0-M1 through 11.0.22, and 8.5.0 through 8.5.100). Because upstream fix versions exist (11.0.23, 10.1.56, 9.0.119), a patched-image rebuild is available the moment the fixed base image is resolvable. For customers who opt into auto-remediation, HarborGuard performs a rebuild at the patched version, runs a regression test pass, and opens a PR against affected workloads; for high and critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated remediation, the finding appears in the critical queue with remediation guidance pointing to the specific fix version for each affected branch. Note that Apache Tomcat 8.5.x has reached end of life upstream; HarborGuard will flag 8.5.x images and recommend migration to a supported branch rather than a same-branch rebuild.

See how HarborGuard automates this

Fix available

0
Affected packages
  • Apache Software Foundation / Apache Tomcat
    ≤ 11.0.22 · ≤ 10.1.55 · ≤ 9.0.118 · ≤ 8.5.100
    Fixed in 0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References