CVE-2026-53404
Fresh advisory, no PoC/KEV/EPSS; chatter is list-driven aggregation, not active exploitation signal.
What: Always-Incorrect Control Flow Implementation in Apache Tomcat's rewrite valve (versions 8.5–11.0) allowing OR-chain condition bypass, affecting routing/access control logic.
Why it matters: Published 29 June 2026; not KEV-listed; no CVSS/EPSS assigned yet; no public PoC or in-the-wild exploitation reported. Apache advisory recommends upgrade to patched versions (11.0.23, 10.1.56, 9.0.119). Social chatter is primarily multilingual vulnerability list aggregation and security vendor blogs—no defender triage signals or confirmed attacks.
Where it's seen: Bluesky posts linking CVE lists; security vendor advisories; no PoC repositories or exploitation reports visible.
RISK: MODERATE — Logic flaw in rewrite rules can bypass intended access controls; patch available; adoption lag unknown.
Description
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.