CVE-2026-55956
Fresh advisory, patches available, but no PoC, no KEV, no exploitation reports yet.
What: Improper Authorization in Apache Tomcat (versions 7.0–11.0) where security constraints on the default servlet fail to enforce HTTP method restrictions, allowing unauthorized access to protected resources.
Why it matters: Published 29 June 2026, this is a fresh authorization bypass affecting widely-deployed Tomcat versions. Not yet KEV-listed and no CVSS assigned. Social chatter is largely advisory republication and translation; no public PoC or confirmed in-the-wild exploitation reported. Apache has issued patches (11.0.23, 10.1.56, 9.0.119).
Where it's seen: Multilingual posts on Bluesky summarizing the vulnerability and linking to security advisories; coverage includes bundled CVEs. Typical early-disclosure pattern—defenders triaging patch eligibility, no weaponization signals.
RISK: HIGH — Affects all major Tomcat branches; authorization bypass impacts confidentiality and integrity.
Description
Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.