CVE-2026-55957
Legitimate vuln, vendor patching urgently, but only 24-hour-old; no PoC or exploitation evidence yet.
What: Missing authentication step in Apache Tomcat JNDIRealm with GSSAPI allows password bypass; affects versions 7.0.0–11.0.4 across multiple release lines.
Why it matters: Published 29 June 2026 with vendor patches issued same day (11.0.5, 10.1.37, 9.0.101). Authentication bypass is high-severity; no CVSS/EPSS assigned yet and not KEV-listed. Social chatter is predominantly automated feed rebroadcasts and security news aggregators, not defender reports or PoC activity.
Where it's seen: Bluesky CVE notification bots and security blog auto-posts; Russian language summaries; Apache mailing list thread referenced. No independent researcher PoC, no in-the-wild exploitation chatter.
RISK: HIGH — Authentication bypass in widely deployed application server; rapid patching signal suggests real threat.
Description
Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.